ISO/IEC 27003:2010
(Main)Information technology - Security techniques - Information security management system implementation guidance
Information technology - Security techniques - Information security management system implementation guidance
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
Technologies de l'information — Techniques de sécurité — Lignes directrices pour la mise en oeuvre du système de management de la sécurité de l'information
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema upravljanja informacijske varnosti
Ta mednarodni standard se osredotoča na kritične vidike, potrebne za uspešno načrtovanje in izvedbo sistema upravljanja informacijske varnosti (ISMS) v skladu z ISO/IEC 27001:2005. Opisuje postopek specifikacije in načrtovanja ISMS od začetka do izdelave izvedbenih načrtov. Opisuje postopek pridobitve upravljalne odobritve za izvedbo ISMS, opredeljuje projekt izvedbe ISMS (ki se v tem mednarodnem standardu navaja kot projekt ISMS) in podaja navodilo o tem, kako načrtovati projekt ISMS, kateremu sledi končni izvedbeni načrt za projekt ISMS. Ta mednarodni standard uporabljajo organizacije, ki izvajajo ISMS. Velja za vse vrste organizacij (npr. trgovinska podjetja, vladne službe, neprofitne organizacije) vseh velikosti. Kompleksnost in tveganja vsake organizacije so edinstvena, zato bodo njene posebne zahteve spodbudile izvedbo ISMS. Manjše organizacije bodo ugotovile, da so dejavnosti, navedene v tem mednarodnem standardu, uporabne zanje in se lahko poenostavijo. Velike in kompleksne organizacije pa lahko ugotovijo, da je večplastna organiziranost oziroma sistem upravljanja, potreben za vodenje dejavnosti, v tem mednarodnem standardu učinkovit. Vendar se v obeh primerih ustrezne dejavnosti lahko načrtujejo z uporabo tega mednarodnega standarda. Ta mednarodni standard podaja priporočila in razlage; ne določa pa kakršnih koli zahtev. Ta mednarodni standard se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, vendar ni namenjen spreminjanju in/ali zmanjševanju zahtev, opredeljenih v ISO/IEC 27001:2005, ali priporočil, določenih v /IEC 27002:2005. Zahtevati skladnost s tem mednarodnim standardom ni primerno.
General Information
Relations
Frequently Asked Questions
ISO/IEC 27003:2010 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology - Security techniques - Information security management system implementation guidance". This standard covers: ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
ISO/IEC 27003:2010 is classified under the following ICS (International Classification for Standards) categories: 03.100.70 - Management systems; 35.030 - IT Security; 35.040 - Information coding. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 27003:2010 has the following relationships with other standards: It is inter standard links to ISO/IEC 27003:2017. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO/IEC 27003:2010 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.
Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.
© ISO/IEC 2010 – All rights reserved 3
Figure 2 — Flow diagram legend
4 © ISO/IEC 2010 – All rights reserved
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.
© ISO/IEC 2010 – All rights reserved 5
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
6 © ISO/IEC 2010 – All rights reserved
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should be identified.
Output
The deliverable is a document which describes the preliminary scope of the ISMS.
© ISO/IEC 2010 – All rights reserved 9
Other information
No other specific information.
NOTE Special attention should be drawn that in case of certification specific documentation requirements of
ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the
organization.
5.3.2 Define roles & responsibilities for the preliminary ISMS scope
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project.
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined. The role
generally is different at each organization, because of the number of people dealing with information security.
The organizational structure and resources for information security vary with the size, type and structure of the
organization. For example, in a smaller organization, several roles may be carried out by the same person.
However, management should explicitly identify the role (typically Chief Information Security Officer,
Information Security Manager or similar) with overall responsibility for managing information security, and the
staff should be assigned roles and responsibilities based on the skill required to perform the job. This is critical
to ensure that the tasks are carried out efficiently and effectively.
The most important considerations in the definition of roles in information security management are:
a) overall responsibility for the tasks remains at the management level,
b) one person (usually the Chief Information Security Officer) is appointed to promote and co-ordinate the
information security process,
c) each employee is equally responsible for his or her original task and for maintaining information security
in the workplace and in the organization.
The roles for managing information security should work together; this may be facilitated by an Information
Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all stages of
the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are potential ISMS
implementation team members. This team should be maintained at the smallest practical size for speed and
effective use of resources. Such areas are not only those directly included in the ISMS scope, but also the
indirect divisions, such as legal, risk management and administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
Other Information
Annex B provides details of roles and responsibilities needed in an organization to successfully implement an
ISMS.
10 © ISO/IEC 2010 – All rights reserved
5.4 Create the business case and the project plan for management approval
Activity
The management approval and commitment of resources for the ISMS implementation project should be
obtained by creating the business case and the ISMS project proposal.
Input
a) output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS
b) output from Activity 5.3 Define the preliminary ISMS scope – The documented: preliminary
1. ISMS scope and
2. associated roles and responsibilities.
Guidance
The information for the business case and initial ISMS project plan should include estimated timeline,
resources, and milestones needed for the main activities noted in Clauses 6 to 9 of this International Standard.
The business case and initial ISMS project plan serve as the base of the project, but also ensures
management commitment and approval of resources needed for the ISMS implementation. The manner in
which the implemented ISMS will support the business objectives contributes to the effectiveness of the
organizational processes and increases the efficiency of the business.
The business case for implementing an ISMS should include short statements linked to the organization’s
objectives and cover the following subjects:
a) goals and specific objectives
b) benefit to the organization
c) preliminary scope of ISMS including business processes affected
d) critical processes & factors for reaching the ISMS objectives
e) high-level project overview
f) initial implementation plan
g) defined roles and responsibilities
h) required resources (both technology and people)
i) implementation considerations including existing information security
j) timeline with key milestones
k) expected costs
l) critical success factors
m) quantify the benefits to the organization
The project plan should include relevant activities of phases in Clause 6-9 set forth in this International
Standard.
© ISO/IEC 2010 – All rights reserved 11
Individuals that effect, or are affected by, the ISMS should be identified and allowed adequate time to review
and comment on the ISMS business case and ISMS project proposal. The business case and ISMS project
proposal should be updated as necessary as input is provided. Once sufficient support is gained, the business
case and the ISMS project proposal should be presented to management for approval.
Management should approve the business case and initial project plan in order to achieve full organization
commitment and begin execution of the ISMS project.
The expected benefits from management commitment for implementing an ISMS are:
a) knowledge and implementation of relevant laws, regulations, contractual obligations and standards
relating to information security, resulting in avoidance of liabilities and penalties of non-compliance,
b) efficient use of multiple processes for information security,
c) stability and increased confidence to grow through better management of information security risks,
d) identification and protection of business-critical information.
Output
The deliverables of this activity are:
a) a documented approval by management to execute the ISMS project with the allocated resources
b) a documented business case
c) an initial ISMS Project Proposal, with milestones, such as performing risk assessment, implementation,
internal audits, and management review)
Other Information
ISO/IEC 27000:2009 for examples of critical success factors to support the ISMS business case.
6 Defining ISMS scope, boundaries and ISMS policy
6.1 Overview of defining ISMS scope, boundaries and ISMS policy
Management approval for the implementation of an ISMS is based on the preliminary ISMS scope, ISMS
business case and initial project plan. The detailed definition of the scope and boundaries of the ISMS, the
definition of the ISMS policy and acceptance and support by management are the key primary factors for
successful implementation of the ISMS.
Therefore, the objectives of this phase are:
Objectives:
To define the detailed scope and boundaries of the ISMS and develop the ISMS policy, and obtain
endorsement from management
ISO/IEC 27001:2005 reference: 4.2.1 a) and 4.2.1 b)
12 © ISO/IEC 2010 – All rights reserved
In order to achieve "Define the detailed scope and boundaries for the ISMS" objective, the following activities
are necessary:
a) define the organizational scope and boundaries,
b) Information Communication Technology (ICT) scope and boundaries and
c) physical scope and boundaries.
d) specified characteristics in ISO/IEC 27001:2005 reference 4.2.1 a) and b), i.e. business, organization,
location, assets and technology aspects of the scope and boundaries, and policy are determined in the
process of defining these scope and boundaries
e) integrate elementary scope and boundaries to obtain the ISMS scope and boundaries
To achieve the definition of the ISMS policy and obtain acceptance from the management, a single activity is
necessary.
To build an effective management system for the organization, the detailed scope of the ISMS should be
determined by considering critical information assets of the organization. It is important to have a common
terminology and systematic approach for identifying information assets and assessing viable security
mechanisms. This enables ease of communication and fosters consistent understanding through all phases of
the implementation. It is also important to ensure that critical organization areas are included in the scope.
It is possible to define the scope of an ISMS to encompass the entire organization, or a part thereof, such as a
division or clearly bounded subsidiary element. For example, in the case of "services" provided to customers,
the scope of the ISMS can be a service, or a cross-functional management system (an entire division or part
of a division). The requirements of ISO/IEC 27001:2005 shall be fulfilled for certification regardless of the
existing management systems in place within the organization.
Organizational scope and boundaries, ICT scope and boundaries (6.3) and physical scope and boundaries
(6.4) are not always to be carried out sequentially. However it is useful to reference already obtained scope
and boundaries when defining other scope and boundaries.
© ISO/IEC 2010 – All rights reserved 13
Figure 4 — Overview of defining ISMS scope, boundaries and ISMS policy
14 © ISO/IEC 2010 – All rights reserved
6.2 Define organizational scope and boundaries
Activity
The organizational scope and boundaries should be defined.
Input
a) output from Activity 5.3 Define the preliminary ISMS scope - The documented preliminary scope of the
ISMS which addresses:
1. relationship of existing management systems, regulatory, compliance, and organization objectives;
2. characteristics of the business, the organization, its location, assets and technology.
b) output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS - The documented
approval by management to implement an ISMS and start the project with necessary resources allocated.
Guidance
The amount of effort required to implement an ISMS is dependent on the magnitude of the scope to which it is
to be applied. This can also impact all activities relating to maintenance of information security of in-scope
items (such as process, physical locations, IT systems and people), including implementing and maintaining
controls,managing operations, and carrying out tasks such as identifying information assets and assessing
risk. If management decides to exclude certain parts of the organization from the scope of the ISMS, their
reasons for doing so should be documented.
When the scope of the ISMS is defined, it is important that its boundaries are clear enough to be explained to
those who were not involved in its definition.
Some controls relating to information security may already be in existence as a result of the deployment of
other management systems. These should be taken into account when planning the ISMS, but will not
necessarily indicate the boundaries of the scope for the current ISMS.
One method of defining organizational boundaries is to identify those areas of responsibility which are non-
overlapping to ease assignment of accountability within an organization.
Responsibilities directly related to information assets or business processes included in the ISMS scope
should be selected as a part of organization which is under control of the ISMS. While defining organizational
boundaries the following factors should be considered:
a) ISMS management forum should consist of managers directly involved in the scope of the ISMS.
b) the member of management responsible for the ISMS should be the one who is ultimately responsible for
all the areas of responsibility affected (i.e. their role will usually be dictated by their span of control and
responsibility within an organization).
c) In the case where the role responsible for managing the ISMS is not a member of senior management, a
top management sponsor is essential to represent the interests of information security and act as the
advocate for the ISMS at the highest levels of the organization.
d) Scope and boundaries need to be defined to ensure that all relevant assets are taken into account in the
risk assessment, and to address the risks that might arise through these boundaries.
Based on the approach, the organizational boundaries analyzed should identify all personnel affected by the
ISMS, and this should be included in the scope. The identification of personnel may be linked to processes
and/or functions depending on the selected approach. If some processes within the scope are outsourced to
the third parties those dependencies should be clearly documented. Such dependencies will be subjected to
further analysis in the ISMS implementation project.
© ISO/IEC 2010 – All rights reserved 15
Output
The deliverables of this activity are:
a) description of organizational boundaries for the ISMS, including any justifications for portions of the
organization that have been excluded from the ISMS scope,
b) functions and structure of those parts of the organization within the scope of the ISMS,
c) identification of information exchanged within the scope and information exchanged through boundaries
d) organization processes and the responsibilities for the information assets of the scope and outside scope,
e) process for the hierarchy of decision making as well as structure within the ISMS.
Other information
No other specific information.
6.3 Define information communication technology (ICT) scope and boundaries
Activity
The scope and boundaries of the elements of information communication technology (ICT) and other
technology items covered by the ISMS should be defined.
Input
a) output from Activity 5.3 Define the preliminary ISMS scope - The document for the preliminary scope of
the ISMS
b) output from Activity 6.2 Define organizational scope and boundaries
Guidance
The definition of the ICT scope and boundaries can be obtained through an information system (rather than
IT-based) approach. Once there is a management decision to include the information system business
processes into the ISMS scope, all related ICT elements should be considered as well. This includes all parts
of the organization which store, process or transport critical information, assets, or which are critical to the
parts of the organization in-scope. Information systems may span organizational or national borders. Should
this be the case, the following should be considered:
a) socio-cultural environment
b) legal, regulatory and contractual requirements applicable to the organizations
c) accountability for key responsibilities
d) technical constraints (e.g. available bandwidth, availability of service, etc.)
Taking the above into consideration, ICT boundaries should include a description of the following when
applicable
a) the communications infrastructure, where responsibility for managing it is held by the organization
including various different technologies (e.g. wireless, wireline, or data/voice networks).
b) software within the organizational boundaries, that is used and controlled by the organization
c) ICT hardware required by the network or networks, applications or production systems
16 © ISO/IEC 2010 – All rights reserved
ISO/IE
...
SLOVENSKI STANDARD
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Smernice za izvedbo sistema
upravljanja informacijske varnosti
Information technology - Security techniques - Information security management system
implementation guidance
Technologies de l'information - Techniques de sécurité - Lignes directrices pour la mise
en oeuvre du système de management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27003:2010
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO/IEC
STANDARD 27003
First edition
2010-02-01
Information technology — Security
techniques — Information security
management system implementation
guidance
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information
Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .2
4.1 General structure of clauses.2
4.2 General structure of a clause.3
4.3 Diagrams .3
5 Obtaining management approval for initiating an ISMS project .5
5.1 Overview of obtaining management approval for initiating an ISMS project .5
5.2 Clarify the organization’s priorities to develop an ISMS.7
5.3 Define the preliminary ISMS scope .9
5.4 Create the business case and the project plan for management approval.11
6 Defining ISMS scope, boundaries and ISMS policy.12
6.1 Overview of defining ISMS scope, boundaries and ISMS policy .12
6.2 Define organizational scope and boundaries.15
6.3 Define information communication technology (ICT) scope and boundaries .16
6.4 Define physical scope and boundaries.17
6.5 Integrate each scope and boundaries to obtain the ISMS scope and boundaries.18
6.6 Develop the ISMS policy and obtain approval from management .19
7 Conducting information security requirements analysis.20
7.1 Overview of conducting information security requirements analysis.20
7.2 Define information security requirements for the ISMS process.22
7.3 Identify assets within the ISMS scope .23
7.4 Conduct an information security assessment .24
8 Conducting risk assessment and planning risk treatment.25
8.1 Overview of conducting risk assessment and planning risk treatment .25
8.2 Conduct risk assessment.27
8.3 Select the control objectives and controls.28
8.4 Obtain management authorization for implementing and operating an ISMS.29
9 Designing the ISMS.30
9.1 Overview of designing the ISMS.30
9.2 Design organizational information security .33
9.3 Design ICT and physical information security .38
9.4 Design ISMS specific information security.40
9.5 Produce the final ISMS project plan .44
Annex A (informative) Checklist description .45
Annex B (informative) Roles and responsibilities for Information Security .51
Annex C (informative) Information about Internal Auditing .55
Annex D (informative) Structure of policies .57
Annex E (informative) Monitoring and measuring.62
Bibliography.68
© ISO/IEC 2010 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27003 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
iv © ISO/IEC 2010 – All rights reserved
Introduction
The purpose of this International Standard is to provide practical guidance in developing the implementation
plan for an Information Security Management System (ISMS) within an organization in accordance with
ISO/IEC 27001:2005. The actual implementation of an ISMS is generally executed as a project.
The process described within this International Standard has been designed to provide support of the
implementation of ISO/IEC 27001:2005; (relevant parts from Clauses 4, 5, and 7 inclusive) and document:
a) the preparation of beginning an ISMS implementation plan in an organization, defining the organizational
structure for the project, and gaining management approval,
b) the critical activities for the ISMS project and,
c) examples to achieve the requirements in ISO/IEC 27001:2005.
By using this International Standard the organization will be able to develop a process for information security
management, giving stakeholders the assurance that risks to information assets are continuously maintained
within acceptable information security bounds as defined by the organization.
This International Standard does not cover the operational activities and other ISMS activities, but covers the
concepts on how to design the activities which will result after the ISMS operations begin. The concept results
in the final ISMS project implementation plan. The actual execution of the organizational specific part of an
ISMS project is outside the scope of this International Standard.
The implementation of the ISMS project should be carried out using standard project management
methodologies (for more information please see ISO and ISO/IEC Standards addressing project
management).
© ISO/IEC 2010 – All rights reserved v
INTERNATIONAL STANDARD ISO/IEC 27003:2010(E)
Information technology — Security techniques — Information
security management system implementation guidance
1 Scope
This International Standard focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes
the process of ISMS specification and design from inception to the production of implementation plans. It
describes the process of obtaining management approval to implement an ISMS, defines a project to
implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on
how to plan the ISMS project, resulting in a final ISMS project implementation plan.
This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to
all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all
sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS
implementation. Smaller organizations will find that the activities noted in this International Standard are
applicable to them and can be simplified. Large-scale or complex organizations might find that a layered
organization or management system is needed to manage the activities in this International Standard
effectively. However, in both cases, the relevant activities can be planned by applying this International
Standard.
This International Standard gives recommendations and explanations; it does not specify any requirements.
This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and
ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in
ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this
International Standard is not appropriate.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2009,
ISO/IEC 27001:2005 and the following apply.
3.1
ISMS project
structured activities undertaken by an organization to implement an ISMS
© ISO/IEC 2010 – All rights reserved 1
4 Structure of this International Standard
4.1 General structure of clauses
The implementation of an ISMS is an important activity and is generally executed as a project in an
organization. This document explains the ISMS implementation by focusing on the initiation, planning, and
definition of the project. The process of planning the ISMS final implementation contains five phases and each
phase is represented by a separate clause. All clauses have a similar structure, as described below. The five
phases are:
a) Obtaining management approval for initiating an ISMS project (Clause 5)
b) Defining ISMS Scope and ISMS Policy (Clause 6)
c) Conducting Organization Analysis (Clause 7)
d) Conducting Risk Assessment and Risk Treatment planning (Clause 8)
e) Designing the ISMS (Clause 9)
Figure 1 illustrates the five phases of the planning of the ISMS project referring to ISO/IEC standards and
main output documents.
Figure 1 — ISMS project phases
Further information is noted in the annexes. These annexes are:
Annex A. Summary of activities with references according to ISO/IEC 27001:2005
Annex B. Information security roles and responsibilities
Annex C. Information on planning of internal audits
Annex D. Structure of policies
Annex E. Information on planning of monitoring and measuring
2 © ISO/IEC 2010 – All rights reserved
4.2 General structure of a clause
Each clause contains:
a) one or more objectives stating what is to be achieved noted in the beginning of each clause in a text box;
and
b) one or more activities necessary to achieve the phase objective or objectives.
Each activity is described in a subclause.
Activity descriptions in each subclause are structured as follows:
Activity
The activity defines what is necessary to satisfy this activity which achieves all or part of the phase objectives.
Input
The input describes the starting point, such as the existence of documented decisions or outputs from other
activities described in this International Standard. Inputs could either be referred to as the complete output
from an activity just stating the relevant clause or specific information from an activity may be added after the
clause reference.
Guidance
The guidance provides detailed information to enable performing this activity. Some of the guidance may not
be suitable in all cases and other ways of achieving the results may be more appropriate.
Output
The output describes the result(s) or deliverable(s), upon completion of the activity; e.g. a document. The
outputs are the same, independent of the size of the organization or the ISMS scope.
Other information
The other information provides any additional information that may assist in performing the activity, for
example references to other standards.
NOTE The phases and activities described in this document include a suggested sequence of performing activities
based on the dependencies identified through each of the activities’ “Input” and “Output” descriptions. However,
depending on many different factors (e.g., effectiveness of management system currently in place, understanding with
regard to the importance of information security, reasons for implementing an ISMS), an organization may select any
activity in any order as necessary to prepare for the establishment and implementation of the ISMS.
4.3 Diagrams
A project is often illustrated in graphical or diagram form showing an overview of activities and outputs.
Figure 2 illustrates the legend of diagrams which are illustrated in an overview subclause of each phase. The
diagrams provide a high level overview of the activities included in each phase.
© ISO/IEC 2010 – All rights reserved 3
Figure 2 — Flow diagram legend
4 © ISO/IEC 2010 – All rights reserved
The upper square illustrates the planning phases of an ISMS project. The phase explained in the specific
clause is then emphasized with its key output documents.
The lower diagram (activities of the phase) includes the key activities which are included in the emphasized
phase of the upper square, and main output documents of each activity.
The timeline in the lower square is based on the timeline in the upper square.
Activity A and Activity B can be executed at the same time. Activity C should be started after Activity A and B
is finished.
5 Obtaining management approval for initiating an ISMS project
5.1 Overview of obtaining management approval for initiating an ISMS project
There are several factors that should be taken into consideration when deciding to implement an ISMS. In
order to address these factors, management should understand the business case of an ISMS implementation
project and approve it. Therefore the objective of this phase is:
Objective:
To obtain management approval to start the ISMS project by defining a business case and the project plan.
In order to acquire management approval, an organization should create a business case which includes the
priorities and objectives to implement an ISMS in addition to the structure of the organization for the ISMS.
The initial ISMS project plan should also be created.
The work performed in this phase will enable the organization to understand the relevance of an ISMS, and
clarify the information security roles and responsibilities within the organization needed for an ISMS project.
The expected output of this phase will be the preliminary management approval of, and commitment to
implement, an ISMS and performing the activities described in this International Standard. The deliverables
from this clause include a business case and a draft ISMS project plan with key milestones.
Figure 3 illustrates the process to obtain management approval to initiate the ISMS project.
NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one
of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of
ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in
this document.
© ISO/IEC 2010 – All rights reserved 5
Figure 3 — Overview of obtaining management approval for initiating an ISMS project
6 © ISO/IEC 2010 – All rights reserved
5.2 Clarify the organization’s priorities to develop an ISMS
Activity
The objectives to implement an ISMS should be included by considering the organization’s information
security priorities and requirements.
Input
a) the organization’s strategic objectives
b) overview of the existing management systems
c) a list of legal, regulatory, and contractual information security requirements applicable to the organization
Guidance
In order to start the ISMS project, management approval is generally needed. Therefore, the first activity that
should be performed is to collect the relevant information illustrating the value of an ISMS to the organization.
The organization should clarify why an ISMS is needed and decide the objectives of the ISMS implementation
and initiate the ISMS Project.
The objectives for implementing an ISMS can be determined by answering the following questions:
a) risk management – How will an ISMS generate better management of information security risks?
b) efficiency – How can an ISMS improve the management of information security?
c) business advantage – How can an ISMS create competitive advantage for the organization?
In order to answer the questions above, the organization’s security priorities and requirements are addressed
by the following possible factors:
a) critical businesses and organization areas:
1. What are the critical businesses and organizational areas?
2. Which organizational areas provide the business and with what focus?
3. What third party relationships and agreements exist?
4. Are there any services that have been outsourced?
b) sensitive or valuable information:
1. What information is critical to the organization?
2. What would be the likely consequences if certain information were to be disclosed to unauthorized
parties (e.g., loss of competitive advantage, damage to brand or reputation, legal action, etc.)?
c) laws which mandate information security measures:
1. What laws relating to risk treatment or information security apply to the organization?
2. Is the organization part of a public global organization that is required to have external financial
reporting?
d) contractual or organizational agreements relating to information security:
1. What are the storage requirements (including the retention periods) for data storage?
2. Are there any contractual requirements relating to privacy or quality (e.g. service level agreement-
SLA)?
© ISO/IEC 2010 – All rights reserved 7
e) industry requirements which specify particular information security controls or measures:
1. What sector-specific requirements apply to the organization?
f) The threat environment:
1. What kind of protection is needed, and against what threats?
2. What are the distinct categories of information that require protection?
3. What are the distinct types of information activities that need to be protected?
g) Competitive Drivers:
1. What are the minimum market requirements for information security?
2. What additional information security controls should provide a competitive advantage for the
organization?
h) Business continuity requirements
1. What are the critical business processes?
2. How long can the organization tolerate interruptions to each critical business process?
The preliminary ISMS scope can be determined by responding to the information above. This is also needed
in order to create a business case and overall ISMS project plan for management approval. The detailed
ISMS scope will be defined during the ISMS project.
The requirements noted in ISO/IEC 27001:2005 reference 4.2.1 a) outline the scope in terms of the
characteristics of the business, the organization, its location, assets and technology. The resulting information
from the above supports this determination.
Some topics which should be considered when making the initial decisions regarding scope include:
a) What are the mandates for information security management established by organizational management
and the obligations imposed externally on the organization?
b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g.
people in different subsidiaries or different departments)?
c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or
through the corporate intranet)?
d) Can the current management systems support the organization’s needs? Is it fully operational, well
maintained, and functioning as intended?
Examples of management objectives that may be used as input to define the preliminary ISMS scope include:
a) facilitating business continuity and disaster recovery
b) improving resilience to incidents
c) addressing legal/contractual compliance/liabilities
d) enabling certification against other ISO/IEC standards
e) enabling organizational evolution and position
f) reducing costs of security controls
g) protecting assets of strategic value
h) establishing a healthy and effective internal control environment
i) providing assurance to stakeholders that information assets are properly protected
8 © ISO/IEC 2010 – All rights reserved
Output
The deliverables of this activity are:
a) a document summarizing the objectives, information security priorities, and organizational requirements
for an ISMS.
b) a list of regulatory, contractual, and industry requirements related to the information security of the
organization.
c) Outlined characteristics of the business, the organization, its location, assets, and technology.
Other information
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Define the preliminary ISMS scope
5.3.1 Develop the preliminary ISMS scope
Activity
The objectives to implement ISMS should include the preliminary ISMS scope definition, which is necessary
for the ISMS project.
Input
Output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS.
Guidance
In order to execute the ISMS implementation project, the structure of an organization for the ISMS should be
defined. The preliminary scope of the ISMS should now be defined to provide management with guidance for
implementation decisions, and to support further activities.
The preliminary ISMS scope is needed in order to create the business case and the proposed project plan for
management approval.
The output from this stage will be a document defining the preliminary scope of the ISMS, which includes:
a) a summary of the mandates for information security management established by organizational
management, and the obligations imposed externally on the organization;
b) a description of how the area(s) in scope interact with other management systems;
c) a list of the business objectives of information security management (as derived in clause 5.2);
d) a list of critical business processes, systems, information assets, organizational structures and
geographic locations to which the ISMS will be applied.
e) the relationship of existing management systems, regulatory, compliance, and organization objectives;
f) the characteristics of the business, the organization, its location, assets and technology.
The common elements and the operational differences between the processes of any existing management
system(s) and the proposed ISMS should be identified.
Output
The deliverable is a document which describes the preliminary scope of the ISMS.
© ISO/IEC 2010 – All rights reserved 9
Other information
No other specific information.
NOTE Special attention should be drawn that in case of certification specific documentation requirements of
ISO/IEC 27001:2005 as for the ISMS scope are to be fulfilled regardless of the management systems in place within the
organization.
5.3.2 Define roles & responsibilities for the preliminary ISMS scope
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
a) output from Activity 5.3.1 Develop the preliminary ISMS scope
b) list of stakeholders who will benefit from results of the ISMS project.
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined. The role
generally is different at each organization, because of the number of people dealing with information security.
The organizational structure and resources for information security vary with the size, type and structure of the
organization. For example, in a smaller organization, several roles may be carried out by the same person.
However, management should explicitly identify the role (typically Chief Information Security Officer,
Information Security Manager or similar) with overall responsibility for managing information security, and the
staff should be assigned roles and responsibilities based on the skill required to perform the job. This is critical
to ensure that the tasks are carried out efficiently and effectively.
The most important considerations in the definition of roles in information security management are:
a) overall responsibility for the tasks remains at the management level,
b) one person (usually the Chief Information Security Officer) is appointed to promote and co-ordinate the
information security process,
c) each employee is equally responsible for his or her original task and for maintaining information security
in the workplace and in the organization.
The roles for managing information security should work together; this may be facilitated by an Information
Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all stages of
the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are potential ISMS
implementation team members. This team should be maintained at the smallest practical size for speed and
effective use of resources. Such areas are not only those directly included in the ISMS scope, but also the
indirect divisions, such as legal, risk management and administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
Other Information
Annex B provides details of roles and responsibilities needed in an organization to successfully implement an
ISMS.
10 © ISO/IEC 2010 – All rights reserved
5.4 Create the business case and the project plan for management approval
Activity
The management approval and commitment of resources for the ISMS implementation project should be
obtained by creating the business case and the ISMS project proposal.
Input
a) output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS
b) output from Activity 5.3 Define the preliminary ISMS scope – The documented: preliminary
1. ISMS scope and
2. associated roles and responsibilities.
Guidance
The information for the business case and initial ISMS project plan should include estimated timeline,
resources, and milestones needed for the main activities noted in Clauses 6 to 9 of this International Standard.
The business case and initial ISMS project plan serve as the base of the project, but also ensures
management commitment and approval of resources needed for the ISMS implementation. The manner in
which the implemented ISMS will support the business objectives contributes to the effectiveness of the
organizational processes and increases the efficiency of the business.
The business case for implementing an ISMS should include short statements linked to the organization’s
objectives and cover the following subjects:
a) goals and specific objectives
b) benefit to the organization
c) preliminary scope of ISMS including business processes affected
d) critical processes & factors for reaching the ISMS objectives
e) high-level project overview
f) initial implementation plan
g) defined roles and responsibilities
h) required resources (both technology and people)
i) implementation considerations including existing information security
j) timeline with key milestones
k) expected costs
l) critical success factors
m) quantify the benefits to the organization
The project plan should include relevant activities of phases in Clause 6-9 set forth in this International
Standard.
© ISO/IEC 2010 – All rights reserved 11
Individuals that effect, or are affected by, the ISMS should be identified and allowed adequate time to review
and comment on the ISMS business case and ISMS project proposal. The business case and ISMS project
proposal should be updated as necessary as input is provided. Once sufficient support is gained, the business
case and the ISMS project proposal should be presented to management for approval.
Management should approve the business case and initial project plan in order to achieve full organization
commitment and begin execution of the ISMS project.
The expected benefits from management commitment for implementing an ISMS are:
a) knowledge and implementation of relevant laws, regulations, contractual obligations and standards
relating to information security, resulting in avoidance of liabilities and penalties of non-compliance,
b) efficient use of multiple processes for information security,
c) stability and increased confidence to grow through better management of information security risks,
d) identification and protection of business-critical information.
Output
The deliverables of this activity are:
a) a documented approval by management to execute the ISMS project with the allocated resources
b) a documented business case
c) an initial ISMS Project Proposal, with milestones, such as performing risk assessment, implementation,
internal audits, and management review)
Other Information
ISO/IEC 27000:2009 for examples of critical success factors to support the ISMS business case.
6 Defining ISMS scope, boundaries and ISMS policy
6.1 Overview of defining ISMS scope, boundaries and ISMS policy
Management approval for the implementation of an ISMS is based on the preliminary ISMS scope, ISMS
business case and initial project plan. The detailed definition of the scope and boundaries of the ISMS, the
definition of the ISMS policy and acceptance and support by management are the key primary factors for
successful implementation of the ISMS.
Therefore, the objectives of this phase are:
Objectives:
To define the detailed scope and boundaries of the ISMS and develop the ISMS policy, and obtain
endorsement from management
ISO/IEC 27001:2005 reference: 4.2.1 a) and 4.2.1 b)
12 © ISO/IEC 2010 – All rights reserved
In order to achieve "Define the detailed scope and boundaries for the ISMS" objective, the following activities
are necessary:
a) define the organizational scope and boundaries,
b) Information Communication Technology (ICT) scope and boundaries and
c) physical scope and boundaries.
d) specified characteristics in ISO/IEC 27001:2005 reference 4.2.1 a) and b), i.e. business, organization,
location, assets and technology aspects of the scope and boundaries, and policy are determined in the
process of defining these scope and boundaries
e) integrate elementary scope and boundaries to obtain the ISMS scope and boundaries
To achieve the definition of the ISMS policy and obtain acceptance from the management, a single activity is
necessary.
To build an effective management system for the organization, the detailed scope of the ISMS should be
determined by considering critical information assets of the organization. It is important to have a common
terminology and systematic approach for identifying information assets and assessing viable security
mechanisms. This enables ease of communication and fosters consistent understanding through all phases of
the implementation. It is also important to ensure that critical organization areas are included in the scope.
It is possible to define the scope of an ISMS to encompass the entire organization, or a part thereof, such as a
division or clearly bounded subsidiary element. For example, in the case of "services" provided to customers,
the scope of the ISMS can be a service, or a cross-functional management system (an entire division or part
of a division). The requirements of ISO/IEC 27001:2005 shall be fulfilled for certification regardless of the
existing management systems in place within the organization.
Organizational scope and boundaries, ICT scope and boundaries (6.3) and physical scope and boundaries
(6.4) are not always to be carried out sequentially. However it is useful to reference already obtained scope
and boundaries when defining other scope and boundaries.
© ISO/IEC 2010 – All rights reserved 13
Figure 4 — Overview of defining ISMS scope, boundaries and ISMS policy
14 © ISO/IEC 2010 – All rights reserved
6.2 Define organizational scope and boundaries
Activity
The organizational scope and boundaries should be defined.
Input
a) output from Activity 5.3 Define the preliminary ISMS scope - The documented preliminary scope of the
ISMS which addresses:
1. relationship of existing management systems, regulatory, compliance, and organization objectives;
2. characteristics of the business, the organization, its location, assets and technology.
b) output from Activity 5.2 Clarify the organization’s priorities to develop an ISMS - The documented
approval by management to implement an ISMS and start the project with necessary resources allocated.
Guidance
The amount of effort required to implement an ISMS is dependent on the magnitude of the scope to which it is
to be applied. This can also impact all activities relating to maintenance of information security of in-scope
items (such as process, physical locations, IT systems and people), including implementing and maintaining
controls,managing operations, and carrying out tasks such as identifying information assets and assessing
risk. If management decides to exclude certain parts of the organization from the scope of the ISMS, their
reasons for doing so should be documented.
When the scope of the ISMS is defined, it is important that its boundaries are clear enough to be explained to
those who were not involved in its definition.
Some controls relating to information security may already be in existence as a result of the deployment of
other management systems. These should be taken into account when planning the ISMS, but will not
necessarily indicate the boundaries of the scope for the current ISMS.
One method of defining organizational boundaries is to identify those areas of responsibility which are non-
overlapping to ease assignment of accountability within an organization.
Responsibilities directly related to information assets or business processes included in the ISMS scope
should be selected as a part of organization which is under control of the ISMS. While defining organizational
boundaries the following factors should be considered:
a) ISMS management forum should consist of managers directly involved in the scope of the ISMS.
b) the member of management responsible for the ISMS should be the one who is ultimately responsible for
all the areas of responsibility affected (i.e. their role will usually be dictated by their span of control and
responsibility within an organization).
c) In the case where the role responsible for managing the ISMS is not a member of senior management, a
top management sponsor is essential to represent the interests of information security and act as the
advocate for the ISMS at the highest levels of the organization.
d) Scope and boundaries need to be defined to ensure that all relevant assets are taken into account in the
risk assessment, and to address the risks that might arise through these boundaries.
Based on the approach, the organizational boundaries analyzed should identify all personnel affected by the
ISMS, and this should be included in the scope. The identification of personnel may be linked to processes
and/or functions depending on the selected approach. If some processes within the scope are outsourced to
the third parties those dependencies should be clearly documented. Such dependencies will be subjected to
further analysis in the ISMS implementation project.
© ISO/IEC 2010 – All rights reserved 15
Output
The deliverables of this activity are:
a) description of organizational boundaries for the ISMS, including any justifications for portions of the
organization that have been excluded from the ISMS scope,
b) functions and structure of those parts of the organization within the scope of the ISMS,
c) identification of information exchanged within the scope and information exchanged through boundaries
d) organization processes and the responsibilities for the information assets of the scope and outside scope,
e) process for the hierarchy of decision making as well as structure within the ISMS.
Other information
No other specific information.
6.3 Define information communication technology (ICT) scope and boundaries
Activity
The scope and boundaries of the elements of information communication technology (ICT) and other
technology items covered by the ISMS should be defined.
Input
a) output from Activity 5.3 Define the preliminary ISMS scope - The document for the preliminary scope of
the ISMS
b) output from Activity 6.2 Define orga
...
يس يإ يأ /وزـــيأ ةيلودلا ةيسايقلا ةفصاوملا
٢٧٠٠٣
ةيمسرلا ةمجرتلا
Official translation
Traduction officielle
نع يداشرا ليلد – نيمأتلا تاينقت– تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
Information technology — Security techniques — Information security
management system implementation guidance (E)
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la mise en œuvre du système de management de la
sécurité de l'information (F)
.( ii ةحفص يف ةمئاقلا رظنا ) ةمجرتلا ةقد تدمتعأ يتلا ISO يف ءاضعأ تائيھ١٠نع ةبانلإاب ةيمسر ةيبرع ةمجرتك ارسيوس ،فينج يف ISO ةيزكرملا ةناملأا يف تعبط
ىعجرملا مقرلا
ISO 27003/2010 (A)
ةيمسرلا ةمجرتلا
©ISO 2010
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
(هيونت) ةيلوئسم ءلاخإ
علاطلإا وأ فلملا اذھ ةعابط نكمي هنإف Adobe ـل صيخرتلا ةسايس بجومبو ، ةجمدُم طوطخ ىلع (PDF) فلملا اذھ يوتحي دق
ﱠ - فارطلأا لمحتت و . ليدعتلا هيف متي يذلا بوساحلا يف ةل ﱠمح ُم و ةصخرُمھيف ةجمدُملا طوطخلا نكت مل ام هليدعت متي لاأ ىلع ، هيلع
ةيلوئسم يأ لمحتت لا وزيلآلةماعلا ةيراتركسلا نأنيح يف،Adobe ـل صيخرتلا ةسايسب للاخلإا مدع ةيلوئسم - فلملا اذھ ليزنت دنع
. لاجملا اذھ لايح ةينوناق
. Adobe ـلا مظنل ةدحتملا ةكرشلل ةلجسم ةيراجت ةملاع Adobe ـلا دعت
، (PDF)فلمب ةقلعتملا ةماعلا تامولعملا نم فلملا اذھ ءاشنإ يف ةمدختسملا جماربلاب ةصاخلا ليصافتلا عيمج يلع لوصحلا نكمي
ةمظنملا ءاضعلأ امئلام فلملا اذھ مادختسا نوكي نأ يعوُر ثيح ،(PDF) ءاشنإ يف ةلخادلا تاريغتملا تن ﱢسُح دقف ةعابطلا لجلأو
.هاندأ لجسملا ناونعلا ىلع ةماعلا ةيراتركسلا غلابإ ىجرُي ، فلملا اذھب قلعتت ةلكشم يأ ثودح ةلاح يفو ، سييقتلل ةيلودلا
ةفصاوملا تدمتعأ يتلا ةيبرعلا سييقتلا تاھج
ندرلأا
ةيندرلأا سيياقملاو تافصاوملا ةسسؤم
تاراملإا
سيياقملاو تافصاوملل تاراملإا ةئيھ
رئازجلا
سييقتلل يرئازجلا دھعملا
ةيدوعسلا
سيياقملاو تافصاوملل ةيدوعسلا ةئيھلا
قارعلا
ةيعونلا ةرطيسلاو سييقتلل يزكرملا زاھجلا
تيوكلا
ةعانصلل ةماعلا ةئيھلا
نادوسلا
سيياقملاو تافصاوملل ةينادوسلا ةئيھلا
نميلا
ةدوجلا طبضو سيياقملاو تافصاوملل ةينميلا ةئيھلا
سنوت
ةيعانصلا ةيكلملاو تافصاوملل ىنطولا دھعملا
ايروس
ةيروسلا ةيبرعلا سيياقملاو تافصاوملا ةئيھ
ايبيل
ةيسايقلا ريياعملاو تافصاوملل ىنطولا زكرملا
رصم
ةدوجلاو تافصاوملل ةماعلا ةيرصملا ةئيھلا
رشنلاو عبطلا قوقح ةيامح ةقيثو
©٢٠١٠ وزيأ
ةليسو يأب وأ لكش يأب همادختسا وأ رادصلإا اذھ نم ءزج يأ جاتنإ ةداعإ زوجي لا ،كلذ فلاخ دري كل امو .ةظوفحم قوقحلا عيمج
دحا وأ هاندأ ناونعلا ىلع سييقتلل ةيلودلا ةمظنملا نم امإ يطخ نذإ نود ةقيقدلا ملافلأاو خسنلا كلذ يف امب ةيكيناكيم وأ ةينورتكلا
.ةبلاطلا ةھجلا ةلود يف سييقتلل ةيلودلا ةمظنملا يف ءاضعلأا تائيھلا
سييقتلل ةيلودلا ةمظنملا ةيكلم قوقح بتكم
٢٠ فينج Ch-1211 * ٥٦ :يديربلا زمرلا
٠٠٤١٢٢٧٤٩٠١١١ :فتاھ
٠٠٤١٢٢٧٤٩٠٩٤٧ :سكاف
copyright@iso.org :ينورتكلا ديرب
www.iso.org :ينورتكللاا عقوملا
٢٠١٦ يف ةيبرعلا ةخسنلارشن مت
ارسيوس يف رشنلا مت
ii © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةحفصلا تايوتحملا
iv.ديھمت
v.ةمدقم
١. لاجملا ١
١. ةلمكملا عجارملا ٢
١. فيراعتلاو تاحلطصملا ٣
١ .ةيلودلا ةفصاوملا هذھ لكيھ ٤
١.ةفصاوملا هذھ دونبل ماعلا لكيھلا ١/٤
٣.ةفصاوملا دونب نم دنبل ماعلا لكيھلا ٢/٤
٤.( ةيطيطختلا) ةينايبلا تاموسرلا ٣/٤
٥. تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا -٥
٥.ISMS ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا نع ةماع ةرظن١/٥
٩.تامولعملا نيمأت ةرادإ ماظن ءاشنلا ةأشنملا تايولوأ حاضيإ ٢/٥
١١. تامولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ديدحت ٣/٥
١٣. ةرادلإا ةقفاوم ىلع لوصحلل عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنإ ٤/٥
١٥. تامولعملا نيمأت ةرادإ ماظن ةسايسو دودحو لاجم فيرعت -٦
١٥.تامولعملا نيمأت ةرادإ ماظن ةسايسو ماظن دودحو لاجم فيرعت ىلع ةماع ةرظن ١/٦
١٨.ة يميظنتلا دودحلاو لاجملا ديدحت ٢/٦
١٩. (ICT) تلااصتلااو تامولعملا ايجولونكت دودحو لاجم فيرعت ٣/٦
٢٠.ةيداملا رصانعلا دودحو لاجم فيرعت ٤/٦
٢١.تامولعملا نيمأت ةرادإ ماظنل ةيلك دودحو ىلك لاجم ىلع لوصحلل دودحلا و تلااجملا لك جمد ٥/٦
٢٢. ةرادلإا دامتعا ىلع لوصحلاو تامولعملا نيمأت ةرادإ ماظن ةسايس ريوطت ٦/٦
٢١.تامولعملا نيمأت تابلطتم لليلحت ءارجإ -٧
٢١.تامولعملا نيمأت تابلطتمل ليلحت ءارجإىلع ةماع ةرظن ١/٧
٢٤. تامولعملا نيمأت ماظن ةيلمعل تامولعملا نيمأت تابلطتم فيرعت ٢/٧
٢٥.ISMS ماظن لاجم يف ةنمضتملا لوصلأا ديدحت ٣/٧
٢٦. تامولعملا نيمأتل مييقت ءارجإ ٤/٧
٢٧.اھتجلاعمل طيطختلاورطاخملا تاريدقت ءارجإ -٨
٢٧. اھتجلاعمل طيطختلاو رطاخملا تاريدقت ءارجإ ىلع ةماع ةرظن ١-٨
٢٩.رطاخملا مييقت ءارجإ ٢/٨
٣٢.طباوضلا رايتخاو طبضلا فادھأ رايتخا ٣/٨
٣٣.تامولعملا نيمأت ةرادإ ماظن ليغشتو ذيفنتل ةرادلإا ضيوفت ىلع لوصحلا ٤/٨
٣٤. تامولعملا ايجولونكت نيمأت ماظن ميمصت -٩
٣٤.تامولعملا نيمأت ةرادإ ماظن ميمصت ىلع ةماع ةرظن ١/٩
٣٤. ( ةأشنملا ىوتسم ىلع) ىميظنتلا تامولعملا نيمأت ميمصت ٢/٩
٤٢. يداملا تامولعملا نيمأتو تلااصتلااو تامولعملا ايجولونكت ميمصت ٣/٩
٤٣. تامولعملا نيمأتب صاخ تامولعم نيمأت ةرادإ ماظن ميمصت ٤/٩
٤٥. يئاھنلا تامولعملا ايجولونكت نيمأت ماظن عورشم ةطخ رادصا ٥/٩
٤٥.ققحتلا ةمئاق فصو (يتامولعم) أ قحلم
٤٨.تامولعملا نمأ تايلوؤسموراودأ (يتامولعم) ب قحلم
٥٢.ةيلخادلا ةعجارملا لوح تامولعم (يملاعإ) ج قحلم
٥٤.تاسايسلا لكيھ (يملاعإ) د قحلملا
٥٨.سايقلاو ةبقارملا (يملاعا) ـھ قحلم
iii © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ديھمت
يف يسايقلا ديحوتلل صصختم ماظن (IEC) ةينقتورھكلا ةيلودلا ةنجللاو (ISO) سييقتلل ةيلودلا ةمظنملا لكشت
تافصاوملادادعا ةيلمع يف IEC وأISO نيتمظنملا يف ءاضعلأا ةينطولا تائيھلا كراشتو.ملاعلا ءاحنأ عيمج
نواعتتو. ينفلا طاشنلا نم ةنيعم تلااجم عم لماعتلل ةينعملا ةمظنملا اھأشنت يتلا ةينفلا ناجللا للاخ نم ةيلودلا
تامظنملا لمعلا يف كراشي امك.كرتشملا مامتھلاا تاذ تلااجملا يف IEC و ISOنم لكل ةعباتلا ةينفلا ناجللا
دقف تامولعملا ايجولونكت لاجم يف .ISO , IEC. يتمظنمب ةلصلا تاذ ،ةيموكحلاريغواھنم ةيموكحلا ةيلودلا
.ISO\IEC JTC1. ةكرتشم ةينفةنجل ءاشنإبISO , IEC يتمظنم تماق
ءزجلا ،ISO / IECنم لاك نع ةرداصلا تاھيجوتلا يف ةدراولا حئاولل اقفو ةيلودلا تافصاوملا تغيص دقو
.يناثلا
ةطساوب هانبتملا ةيلودلا تافصاوملا عيراشم .ةيلودلا تافصاوملا دادعا يھ ةكرتشملا ةينفلا ةنجلل ةيساسلأا ةمھملا
تافصاومك عيراشملا هذھ رادصا بلطتي و .تيوصتلل ةينطولا تائيھلاٮلع اھعيزوت متي ةكرتشملا ةينفلا ةنجللا
.تيوصتلا اھل قحي يتلا ةينطولا تائيھلا نم لقلأا ىلع %٧٥ ةقفاوم ةيلود
ﻝـﻣﺣﺗﺗ نـﻟ و.عارـﺗﺧﻻا ةءارـﺑ قوـﻘﺣﻟ ﺔﻌـﺿﺎﺧ ﺔـﻘﻳﺛوﻟا ﻩذـﻫ رـﺻﺎﻧﻋ ضﻌﺑﻧوـﻛﺗ نأ ﺔـﻳﻟﺎﻣﺗﺣا ﻰـﻟإ ﻩﺎـﺑﺗﻧﻻا تﻔﻟ دوﻧ و
. ﺎﻬﻌﻳﻣﺟ وأ قوﻘﺣﻟا ﻩذﻫ نﻣﺎ ﻳأ دﻳدﺣﺗ ﺔﻳﻟوؤﺳﻣ(ISO) سﻳﻳﻘﺗﻠﻟ ﺔﻳﻟودﻟا ﺔﻣظﻧﻣﻟا
ّ
،ISO\IEC JTC1 ةكرت��شملا ة��ينفلا ةط� ة�� �نجللااھداد�ساوب �عام� ٢٧٠٠٣�ت ي� �سيإ يأ/وز� ة��يأ�يلودلا ةف��صاوملا
.تامولعملا ايجولونكت نيمأت تاينقت ،SC27 ةيعرفلا ةنجللا ، تامولعملا ايجولونكت
iv © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
ةمدقم
نيمأت ةرادا ماظنل ةطخ ذيفنتو ريوطتل يلمع يداشرا ليلد ريفوت وھ ةيلودلا ةفصاوملا هذھ نم ضرغلا
. ٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا عم قفاوتي امب هأشنملا لخاد (ISMS) تامولعملا
.عورشمك ةماع ذفني (ISMS) نيمأتلا ماظنل يقيقحلا قيبطتلا
ةيلودلا ةيسايقلا ةفصاوملا ةيلودلا ةفصاوملا قيبطتل امعد رفوتل اھميمصت مت ةفصاوملا هذھ لخاد ةفصوملا ةيلمعلا
:دنتسملاو( ٧و٥و٤ دونبلا يف ةروصحم ةقلاعلا تاذ ءازجلأا) ؛٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ
عورشملل يميظنتلا لكيھلا فرعت ،ةأشنملا يف ISMS تامولعملا نيمأت ةرادا ماظن قيبطت ةطخ تايادب دادعا (أ
.ةيرادلاا تاقفاوملا ىلع لوصحلاو
.(ISMS) نيمأتلا ةرادا ماظن عورشمل ةجرحلا ةطشنلأا (ب
.٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةيلودلا ةيسايقلا ةفصاوملا تابلطتم قيقحتل ةلثمأ (ج
ىطعي امم ، ةيلودلا ةيسايقلا ةفصاوملا هذھ مادختساب تامولعملا نيمأت ةرادلإ ةيلمع ريوطت ةأشنملا عيطتست
نيمأت دودح لخاد ةرمتسم ةروصب اھرصح متي تامولعملا لوصأ رطاخم نأ نانئمطلاا ةلصلا تاذ تاھجلا
.ةأشنملا هفرعت امك لوبقم تامولعم
لب ، ىرخلأا ISMS نيمأتلا ةرادا ماظن ةطشنأو ةيليغشتلا ةطشنلأا ةيلودلا ةيسايقلا ةفصاوملا هذھ ىطغت لا
جتني ثيح .ISMS ماظنلا تايلمع ءدب دعب جتنتس يتلا ةطشنلأا هذھ ميمصت متي اھاسأ ىلع يتلا ميھافملا يطغت
.ISMS ماظن عورشم قيبطتل ةيئاھنلا ةطخلا نم موھفملا
v © ISO 2010 ةظوفحم قوقحلا عيمج
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
نع يداشرا ليلد – نيمأتلا تاينقت – تامولعملا ايجولونكت
تامولعملا ايجولونكت نيمات ماظن قيبطت
لاجملا .١
تامولعملا نمأ ةرادإ ماظن ذيفنتو ميمصت حاجنل ةمزلالا ةيويحلا بناوجلا ىلع ةيلودلا ةفصاوملا هذھ زكرت
نيمأت ةرادإ ماظن فيصوت تايلمع فصت ذإ .٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ةفصاوملل اقفو (ISMS)
ذيفنتل ةرادلإا دامتعا ىلع لوصحلا ةيلمع فصت امك .ذيفنتلا ططخ جارخإ ىتح ةيادبلا نم هميمصتو تامولعملا
نيمأت ةرادإ ماظن عورشم ةفصاوملا هذھ ىف ىمسي ىذلا) هذيفنت عورشم عضتو .تامولعملا نيمأت ةرادإ ماظن
ذيفنتل ةيئاھن ةطخ ىلع ةياھنلا ىف لصحن ثيحب ،عورشملل طيطختلا ةيفيك نع تاداشرإ مدقتو ،(تامولعملا
.عورشملا
قبطنت .تامولعملا نيمأت ةرادلإ اماظن قبطت يتلا تآشنملا لبق نم مدختست نأ ةيلودلا ةفصاوملا هذھ نم دصقيو
ريغ تامظنملاو ،ةيموكحلا تائيھلا و ةيراجتلا تاسسؤملا لثم) اھعاونأ عيمجب تآشنملا ىلع ةفصاوملا هذھ
ةقيرط اھتابلطتم ةيصوصخ ددحت فوسو اھتاديقعتب ةدرفتم ةمظنم لك .اھماجحأ فلاتخا ىلعو (حبرلل ةفداھلا
هذھ ىف ةروكذملا ةطشنلأا نأ امجح رغصلأا تآشنملا دجتس انھ نمو .تامولعملا نيمأت ةردلإ اھماظن قيبطت
ىلإ ةجاحب اھنأ دجت دقف اديقعت رثكلأا وأ مجحلا ةريبكلا تآشنملا امأ .ةطسبم ةقيرطب ،اھيلع قبطنت ةفصاوملا
اتلك يفو .لاعف وحن ىلع ةيلودلا ةفصاوملا هذھ ةطشنأ ةرادلإ لصفنم ةرادإ ماظن وأ تاقبطلا ددعتميرادإ لكيھ
.ةيلودلا ةفصاوملا هذھ مادختساب ةلصلا تاذ ةطشنلأل طيطختلا نكمي ،نيتلاحلا
ابنج مدختست نأ ةفصاوملا هذھب دصقيو.تابلطتم ةيأ ددحت لاو ، احورشو تايصوت ةيلودلا ةفصاوملا هذھ مدقت
اھنم دوصقملا سيل نكلو ٢٠٠٥ :٢٧٠٠٢ يس يإ يأ/ وزيأ و ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأعم بنج ىلإ
يإ يأ/ وزيأ ىف ةدراولا تايصوتلا وأ٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ ىف ةدراولا تابلطتملا ضفخ وأ ليدعت
.ةفصاوملا هذھ عم قباطتلاب ءاعدلإا بسانملا ريغ نمو .٢٠٠٥ :٢٧٠٠٢ يس
ةيليمكتلا عجارملا .٢
ةروكذملا خسنلا قيبطت مزلي ةخرؤملا عجارملل ةبسنلاب . ةقيثولا هذھ قيبطتل ةيساسا ةيلاتلا ةيعجرملا قئاثولا ربتعت
:(تلايدعت ىا انمضتم) ةيعجرملا ةقيثولا نم رادصإ رخآ قيبطت مزلي هنإف ةخرؤملا ريغ عجارملل ةبسنلاب امأ
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ
.تادرفمو ةماع ةرظن
-تامولعملا ايجولونكت نيمات ماظن – نيمأتلا تاينقت – تامولعملا ايجولونكت٢٠٠٥ :٢٧٠٠١ يس يإ يأ/ وزيأ
.تابلطتملا
فيراعتلاو تاحلطصملا .٣
وزيأ و ٢٠٠٩ :٢٧٠٠٠ يس يإ يأ/ وزيأ ىف ةدراولا فيراعتلاو تاحلطصملا قبطت ةفصاوملا هذھ ضارغلأ
:يلاتلل ةفاضلإاب ٢٠٠٥ :٢٧٠٠١يس يإ يأ/
ISMS ماظن عورشم ١/٣
.ISMS تامولعملا نيمأت ةرادإ ماظن ذيفنتل ةأشنملا اھب موقت ةمظنم ةطشنأ
ةيلودلا ةفصاوملا هذھ لكيھ .٤
ةفصاوملا هذھ دونبل ماعلا لكيھلا١/٤
١ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
اذھ حرشي .ةأشنملا تاعورشم نم عورشمك امومع ذفنيو ، امھم اطاشن تامولعملا نيمأت ةرادإ ماظن ذيفنت دعي
طيطختلا ةيلمع نمضتت امك .عورشملل فيرعتلاو طيطختلاو ءدبلا ىلع زيكرتلاب (ISMS)ماظن ذيفنت دنتسملا
وھ امك ،لكيھلا سفن دونبلا لكلو .لاصفنم ادنب اھنم ةلحرم لك لثمت ، لحارم ةسمخ ماظنلل ىئاھنلا ذيفنتلل
: ىھ ةسمخلا لحارملاو . ىلي اميف فوصوم
(سماخلا دنبلا) تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا (أ
(سداسلا دنبلا) ةسايسلاو ماظنلا لاجم ديدحت (ب
( عباسلا دنبلا) ةأشنملا ليلحتب مايقلا (ت
(نماثلا دنبلا) رطاخملا ةجلاعم ةطخو رطاخملا ريدقتبمايقلا (ث
(عساتلا دنبلا) تامولعملا نيمأت ةرادإ ماظن ميمصت (ج
تافصاوملا ىلإ ةراشلإا عم تامولعملا نيمأت ةرادإ ماظن عورشمل طيطختلل ةسمخلا لحارملا ١ لكشلا نيبي
.ةيسيئرلا تاجرخملا قئاثوو ISO/IEC ةيسايقلا
تابلطتمليلحتب مايقلا دودحو لاجم ديدحت دامتعا ىلع لوصحلا
ISMS ماظن ميمصت و رطاخملا ريدقتب مايقلا
ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
ةجلاعمل طيطختلا تامولعملا نيمأت
ISMS ماظن
رطاخملا
٩
٥
٨
٦
٧
نيمأت تابلطتم
دامتعاب يطخ راعشا ماظن دودحو لاجم
ءدبلل ةرادلإا دامتعا
ماظن ذيفنتل ةيئاھن ةطخ
تامولعملا
ماظن ذيفنتل ةرادلاا ISMS
ماظن عورشم ىف
ISMS
ISMS
ISMS
رطاخملا ةجلاعم ةطخ
ISMS ماظن ةسايس
تامولعملا لوصأ
قيبطتلا ةيناكما نايب نيمأت مييقت جئاتن
فادھأ ُانمضتم، تامولعملا
طباوضلاو طباوضلا
.ةراتخملا
ينمزلا طخلا
تامولعملا نيمأت ةرادإ ماظن عورشم لحارم :١ لكش
: يھ قحلاملا هذھو .ةقفرملا قحلاملا ىف ةدراو تامولعملا نم ديزملا
٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأةيسايقلا ةفصاوملا يف هتيعجرم ىلإ ةراشلإا عم ةطشنلأل صخلم : أ قحلم
تامولعملا نيمأت تايلوئسمو راودأ : ب قحلم
ةيلخادلا تاعجارملل طيطختلا لوح تامولعم : ج قحلم
تاسايسلا لكيھ : د قحلم
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
سايقلاو ةبقارملل طيطختلا لوح تامولعم : ـھ قحلم
ةفصاوملا دونب نم دنبل ماعلا لكيھلا ٢/٤
: ىلي ام ىلع دنب لك ىوتحي
صن عبرم ىف دنب لك نم ةيادبلا ىف اھنم ققحتي ام ركذ عم فادھلأا نم رثكأ وأ دحاو (أ
ةلحرملا فادھأ وأ فدھ قيقحتل ةيرورضلا ةطشنلأا نم رثكأ وأ دحاو (ب
ىعرف دنب ىف ةدح ىلع طاشن لك فصوي
: ىلاتلا وحنلا ىلع مسقم ىعرف دنب لك ىف طاشنلا فصو
:طاشنلا
.اھنم ءزج وأةلحرملا فادھأ لك قيقحت لفكي امب طاشنلا اذھ بناوج ءافيتسلا ىرورض وھ ام طاشنلا فرعي
:لخدملا
هذھ ىف ةفوصوم ىرخأ ةطشنأ نم تاجرخم وأ ةقثوم تارارق دوجو لثم ، ةيادبلا طاقن تلاخدملا فصت
ةلصلا ىذ دنبلل ركذ درجمب طاشن نم ةلماك تاجرخمك امإ تلاخدملا ىلإ راشي نأ اضيأ نكمي .ةيلودلا ةفصاوملا
.دنبلل ةيعجرملا ةراشلإا دعب ام طاشن نم اھنيعب تامولعم فاضت دق وأ
تاداشرلإا
عيمج ىف ةبسانم نوكت لا دق تاداشرلإا ضعب . طاشنلا ءادأ نم نكمت ةيليصفت تامولعم تاداشرلإا رفوت
.جئاتنلا قيقحتل ةمئلام رثكأ بيلاسأ كانھ نوكت دقف ،تلااحلا
تاجرخملا
مجح ناك ام ايا ، تاجرخملا لثامتت .قئاثولا :لثم، طاشنلا لامكتسا دنع تاملتسملا وأ جئاتنلا تاجرخملا فصت
.تامولعملا نيمأت ةرادإ ماظن قاطن وأ ةأـشنملا
ىرخأ تامولعم
تاراشلإا لثم ،طاشنلا ءادأ ىف ةدعاسملا اھنأش نم نوكي ةيفاضإ تامولعم ىأ ىرخلأا تامولعملا رفوت
.ىرخأ تافصاومل ةيعجرملل
ىلع ىنبم ةطشنلأا ءادلأ حرتقم لسلست دنتسملا اذھ ىف ةفوصوملا ةطشنلأاو لحارملا نمضتت :ةظوحلم
ىأب اھتاطاشن ةأشتملا راتخت دقف كلذ عمو . ةطشنلأا هذھ نمً لاك تاجرخمو تلاخدم ربع ةددحملا تادامتعلاا
لماوعلا نم ديدعلا ىلع ادامتعا كلذو تامولعملا نيمأت ةرادإ ماظنل ذيفنتلاو دادعلإل ةرورضلا هيضتقت بيترت
ماظن قيبطت بابسأ و تامولعملا نيمأت ةيمھأب قلعتي ام مھف و ايلاح قبطملا ةرادلإا ماظن ةيلاعف :لثم) ةفلتخملا
. تامولعملا نيمأت ةرادإ
(ةيطيطختلا) ةينايبلا تاموسرلا ٣/٤
.تاجرخملاو ةطشنلأل ةماع ةرظن رھظت ةينايب موسر وأ ةيطيطخت موسر لكش ىف ابلاغ عورشملا حضوي
اروظنم تاموسرلا عضت . ةلحرم لك يف ةماع ةرظن ىعرفلا دنبلا ىف ةحضوملا تاموسرلل ريسفت ٢ لكشلا نيبي
.ةلحرم لك ىف ةدراولا ةطشنلأل ايلك اماع
٣ © ISO 2010 ةظوفحم قوقحلا عيمج
. . .
. . .
. . .
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ISMS ماظن عورشم طيطخت لحارم
ةلحرم
ةلحرم ةلحرم
س
ع
ص
ةقيثو
ةقيثو
ينمزلا طخلا
ةلحرملا ةطشنأ
طاشن
. . . .
أ
ةقيثو
ةقيثو
طاشن
طاشن
ج ب
. . . . . . . .
ةقيثو
ةقيثو
ةقيثو
ةقيثو
ينمزلا طخلا
ةينايبلا تاموسرلا قفدتل ريسفت :٢ لكش
حرشلا ةلحرم لك نم ةيسيئرلا تاجرخملا قئاثو دكؤت مث ،.عورشملل طيطختلا لحارم يولعلا عبرملا حضوي
. اھب صاخلا دنبلا يف دراولا
عبرملا ىف حرشلا عضوم ةلحرملا ىف ةنمضتملا ةيساسلأا ةطشنلأا (ةلحرم لك ةطشنأ) يلفسلا مسرلا نمضتي
.طاشن لكل ةيسيئرلا تاجرخملا قئاثوو يولعلا
.يولعلا عبرملا ىف ىنمزلا طخلا ىلع سسؤم يلفسلا عبرملا ىف ىنمزلا طخلا
.ب و أ نيطاشنلا نم ءاھتنلاا دعب أدبي نأ يغبني ج طاشنلا امنيب .تقولا سفن ىف ب و أ ني طاشنلا ذيفنت نكمي
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
. تامولعملا نيمأت ةرادإ ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا .٥
ISMS ماظن عورشم ىف ءدبلل ةرادلإا دامتعا ىلع لوصحلا نع ةماع ةرظن١/٥
نيمأت ةرادإ ماظن ذيفنتب رارقلا ذاختا دنع رابتعلاا ىف اھذخأ بجي ىتلا تارثؤملا وأ لماوعلا نم ديدعلا كانھ
ماظن ذيفنت عورشمل لامعلأا ةلاح ةسارد ةرادلإا مھفتن نأ بجي ، لماوعلا هذھفادھتسلايبس ىفو ، تامولعملا
: وھ ةلحرملا هذھ نم فدھلاف كلذل ، هيلع قفاوتو تامولعملا نيمأت ةرادإ
:فدھلا
ة��طخو لا��معلأا ة��لاح ة�فيرعت�ساردب تا��مولعملا نيمأ� ةرادإ�ت ما��ظن عور��شم ى� ءد��ف �بللةرادلإا ة��قفاوم ى� �لعلو��صحلا
. عورشملا
ذ�يفنتل فاد�ھلأاو تا�يولولأا نم�ضتت لامعلأ ىتلا ا ةلاح ةسارد ءىشنت نأ ةأشنملل يغبني ، ةرادلإا دامتعا بلط لجأ نمو
ءا�� ا�شنا�ضيأ ي��غبني . ISMSا��مك ما��ظن ل� �جأن� هأ��م�شنملل ي��ميظنتل ل��كيھلا ى� ةفا��لا�ضلإاب ، تا��مولعملا نيمأ� ةرادإ�ت ما��ظن
. تامولعملا نيمأت ةرادإ ماظنل ةيئدبملا ةطخلا
راودلأا حيضوت و ، تامولعملا نيمأت ةرادا ماظن ةيمھأ ىدم مھف نم ةمظنملا نﱢكمُي فوس ةلحرملا هذھ ىف ىﱠدؤ ُملا لمعلا
َ
. تامولعملا نيمأت ماظن ةرادا عورشمل ةمظنملا لخاد تامولعملا نيمأتلةبولطملا تايلوئسملاو
تا�مولعملا نيمأ�ت ةرادلإ ما�ظن ذ�يفنتب ا�ھمازتلاو يئد�بملاةرادلإ�ل دا�متعلاا نوكت�س ةلحرملا هذھ نم ةعقوتملا تاجرخملاو
لا�معلأا ة�لاحة�سارد دنت�سم نم�ضتتد�نبلا اذ�ھن�م تاملت�سملاو ، ة�يلودلاةف�صاوملا هذھ ىف ةفوصوملا ةطشنلأل اھئادأو
.هزيمملا ملاعملا عم تامولعملا نيمأت ةرادإ ماظن عورشم ةطخ ةدوسمو
. تامولعملا نيمات ماظن ةرادإ عورشم ىف ءدبلل ةرادلإا ةقفاوم ىلع لوصحلا ةيلمع ٣ لكشلا نيبي
: ةظوحلم
) عبا�سلا دنبلا تاجرخ ُم ىدحإو ( تامولعملا نيمأت ةرادإ ماظنل ذيفنتلاو طيطختلاب قثوم ةرادلإا نم مازتلا ) سماخلا دنبلاجرخ ُم
ن�ممغر�لا ى�لعو ، ٢٧٠٠٠:٢٠٠٥ ي�س يإ يأ/وز�يأ ةف�صاوملاتا�بلطتم ن�م اد�عُي لا ( تامولعملا نيمأت ةلاحل ةرصتخمةقيثو
. دنتسملا اذھ ىف ةفصوملا ىرخلأا ةطشنلأل اھب ىصوي تلاخدم ىھ ةطشنلأا هذھ تاجرخمف ، كلذ
٥ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
دودحو لاجم ديدحت دامتعا ىلع لوصحلا
تابلطتم ليلحتب مايقلا
و رطاخملا ريدقتب مايقلا
ISMS ماظن ميمصت
تامولعملا نيمأت ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
ةجلاعمل طيطختلا
ISMS ماظن
رطاخملا
٥
٩ ٨
٧ ٦
ءدبلل ةرادلإا دامتعا
ماظن عورشم ىف
ISMS
ينمزلا طخلا
ةأشنملا تايولوأ حاضيإ
ISMS ماظن ءاشنلا
٢/٥
فادھلأا صيخلت
ISMS ماظنل
ةيعيرشتلادويقلاب ةمئاق
ةيعانصلاو ةيدقاعتلاو
نيمأتب ةقلعتملا
ةأشنملا تامولعم
رصتخم ضرع
لامعلأا صئاصخل
يئدبملا لاجملاعضو
راودلأا فيرعت
يئدبملا لاجملا ديدحت
ISMS ماظنل
لاجملل تايلوئسملاو
ISMS ماظنل
ماظنل يئدبملا
١/٣/٥
٣/٥
ةلاح ةسارد ءاشنإ
ةطخو لامعلأا
ىلع لوصحلل عورشملا
ةرادلإا ةقفاوم
راودلأل فصو رصتخم ضرع
٤/٥
ذيفنتل تايلوؤسملاو
لامعلأا صئاصخل
ISMS ماظن
ةلاح ةسارد
لامعلأا
ماظن عورشم حرتقم
ISMS
عورشم دامتعا
ISMS ماظن
ينمزلا طخلا
ISMS ماظنل طيطختلا أدبل ةرادلاا دامتعا ىلع لوصحلا نع ةماع ةرظن :٣ لكش
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
تامولعملا نيمأت ةرادإ ماظن ءاشنلاةأشنملا تايولوأ حاضيإ ٢/٥
: طاشنلا
ي� ةأ��ف�شنملل تا��مولعملا نيمأ� تا��ت�بلطتمو تا��يولوأ ذ� �خأع� تا��م�مولعملا نيمأ� ةرادا�ت ما��ظن ق��يبطتل فاد��ھلأا جاردا�� يغبني
. رابتعلاا
: تلاخدملا
.ةيجيتارتسلاا هأشنملا فادھأ ( ا
ةيلاحلا ةرادلإا ةمظنأ ىلع ةماع ةرظن (ب
.ةأشنملا ىلع ةقبطنملا ةيدقاعتلاو ةيعيرشتلاو ةينوناقلا تامولعملا نيمأت تابلطتمب ةمئاق ( ـج
: تاداشرلإا
ه�ب ءد�بلا ي�غبني طا�شن لوأ نإ�ف كلذ�ل، تا�مولعملا نيمأت ةرادإ ماظنل عورشم يأ ىف عورشللةداع بولطم ةرادلإا دامتعا
ىد�م حا�ضيإ ةأ�شنملا ى�لع ى�غبنيو. ةأ�شنملل تا�مولعملا نيما�ت ةرادإ ما�ظنل ة�ميق ل�ثمت ى�تلاو ة�ماھلاتا�مولعملا عمج وھ
. ماظنلا عورشم ىف ءدبلاو ماظنلا اذھ قيبطت فادھأ ريرقتو تامولعملا نيمات ةرادإ ماظن ىلا ةجاحلا ساسم
-: ةيلاتلا ةلئسلاا ىلع ةباجلإا للاخ نم تامولعملا نيمات ةرادإ ماظن قيبطت فادھأ ددحتت نأ نكمي
؟ تامولعملا نيمأت رطاخمل لضفأ ةرادإ تامولعملا نيمأت ةرادإ ماظن نع أشني فيك – رطاخملا ةرادا (أ
؟ تامولعملا نيمأت ةرادا نيسحت تامولعملا نيمأت ةرادإماظنل نكمي فيك - ةءافكلا (ب
؟ةأشنملل ةيسفانت ةزيم قلخ ماظنلل ىنستي فيك : ةيقوسلا ةزيملا (ـح
-: ةيلاتلا ةفلتخملا لماوعلاب ةأشنملا تابلطتمو تايولوأ فادھتسا بجي ، ةقباسلا ةلئسلأا ىلع ةباجلإا لجأ نمو
.ةيويحلا ةيميظنتلا تلااجملاو لامعلأا (أ
.ةيويحلا ةيميظنتلا تلااجملاو لامعلأا ىھ ام -١
؟ ةجرد يلأو لامعلأاب ادادمأ ةيميظنتلاتلااجملا ىأ -٢
؟ثلاثلا فرطلا عم ةمئاقلا تايقافتلااو تاقلاعلا ىھ ام -٣
؟اھب مايقلل ةيجراخ ةھجب ناعتسي تامدخ ةيأ كانھ لھ -٤
: ةنيمثلا وأ ةيويحلا تامولعملا ( ب
؟ ةأشنملل ةيويحلا تامولعملا يھ ام -١
حر�صملا ر�يغ فار�طلأا ضعب�ل ا�ھنيعب تا�مولعم ن�ع فشكلا مت ام اذإ اھثودح لمتحملا تاعبتلا ىھ ام -٢
...... ةينوناق تاءارجا ، ةعمسلا وأ ىراجتلا مسلاا رايھنا ، ةيسفانتلا ةزيملا نادقف : كلذ لاثم ) كلذب مھل
( خلإ
تامولعملا نيمأتلريبادت متحت ىتلا نيناوقلا ( ـح
٧ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
؟ ةأشنملا ىلع قبطنتو تامولعملا نيمأت وأ رطاخملا ةجلاعمب ةقلاعلا تاذ نيناوقلا ىھ ام -١
؟ ةيجراخ تاھجل ةيلام ريراقت اھل نوكي نأ بلطتت ىربك ةيمومع ةمظنم نم ءزج ةأشنملا لھ -٢
تامولعملا نيماتب ةقلاعلا تاذ ةيميظنتلا وأ ةيدقاعتلا تايقافتلاا ( د
؟ ةنوزخملا تانايبلل ( ظافتحلاا تارتف ةلماش ) نيزختلا تابلطتم ىھ ام -١
؟((SLA) ةمدخلا ىوتسم تايقافتا : كلذ لاثم ) ةدوجلا وأ ةيرسلاب طبترت ةيدقاعت تابلطتم ىأ كانھ لھ -٢
: تامولعملا نيمأتل اھنيعب ريبادت طباوض فصوت ىتلا ةعانصلا تابلطتم (ـھ
؟ ةأشنملا ةلاح ىلع ةقبطنملاو عاطقلا تايصوصخب ةقلعتملا تابلطتملا ىھام -١
:ديدھتلا ةئيب ( و
؟ تاديدھت ةيأ دضو بولطم ةيامحلا عاونأ ىأ -١
؟ ةيامح بلطتت ىتلاو تامولعملل ةزيمملا تافينصتلا ىھ ام -٢
؟ ةيامحلا ىلا جاتحت ىتلا تامولعملا ةطشنلأ ةزيمملا عاونلأا ىھ ام -٣
:سفانتلا تازفحم ( ز
؟ تامولعملا نيمأتل قوسلا تابلطتم نم ىندلأا دحلا وھ ام -١
؟ةأشنملل ةيسفانت ةزيم مدقت ىتلاو تامولعملا نيمأتل ةيفاضلإا طباوضلا ىھ ام -٢
: لامعلأا ةيرارمتسا تابلطتم (ح
؟ ةيويحلا ةطشنلأا تايلمع ىھ ام-١
؟ اھتطشنأ تايلمع تاعاطقنا لامتحا اھللاخ نم ةمظنملل نكمي ىتلا ةدملا ام -٢
ة�لاح ءا�شنلإ ا�ضيأبو�لطم اذ�ھو ةقبا�سلا ، ةلئسلأا ىلع ةباجلإاب تامولعملا نيمات ةرادإ ماظنليئدبملا لاجملا ددحي
ف��يرعت مت� ا���منيبي . ةرادلإا دا��متعا لو�ى��لع�صحلل تا�لعملا نيمأ��مو ةرادإ�ت ما��ظن عور��شملةيلكلا ة��طخلاو لا��معلأا
. عورشملا ءانثأISMS ماظنل يليصفتلا لاجملا
صئا�صخ ة�للادب لا�جملا (أ ١/٢/٤ةر�قفلا ىف ٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ىف ةروكذملا تابلطتملا صخلتو
. ديدحتلا اذھ قبس امم ةجتانلا تامولعملا ديؤتو ، تاينقتلاو لوصلأاو عقوملاو ىميظنتلا لكيھلاو لامعلأا
: ىلي ام نمضتت لاجملاب صتخي اميف ةيئدبملا تارارقلا عنص دنع رابتعلاا ىف اھذخأ يغبني ىتلا تاعوضوملا
ة�ضورفملاةيجراخلا تامازتللااو ةأشنملا ةرادا لبق نم سسؤملا تامولعملا نيمأت ةرادا تايمتح ىھ ام (أ
؟ ةأشنملا ىلع
ى�ف دار�فلأا ً: لاثم ) ةرادلإا قرف نم قيرف نم رثكأ ماظنلل حرتقملا لاجملا ىوتحم تايلوئسم لمحتي لھ (ب
؟ ( ةفلتخم تارادإ وأ ىندأ تارادإ
وأ قرو�لا ى�لعً: لاث�م ) ةأ�شنملا ر�بع تامولعملا نيمأت ةرادإ ماظنب ةقلاعلا تاذ تادنتسملا لصوتس فيك ( ـح
؟ (ةيلخادلا ةكبشلا للاخ نم
نا�صت ل�ھو ا�ھتاقاط ل�ماكب ةأ�شنملا هذ�ھ لمعت لھ ؟ ةأشنملا تاجايتحا معد ةيلاحلا ةرادلإا مظنل نكمي لھ (د
؟ اھل ططخم وھ امك لمعت لھو ةيانعب
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
نم�ضتت تا�مولعملا نيمأ�ت ةرادإ ماظنليئد�بملا لاجملا فيرعتل تلاخدمك مدختست دق ىتلا ةرادلإا فادھلا ةلثمأ
:
.ثراوكلا دعب حلاصلإاو لامعلا ةيرارمتسا ليھست (أ
.عئاقولا عم ةنورمب لماعتلا ىلع ةردقلا نيسحت (ب
. ةيدقاعتلاو ةينوناقلا تامازتللاا فادھتسا (ـح
. ىرخأ يس يإ يأ/ وزيأ ةيلود تافصاومل اقبط تاداھش ىلع لوصحلا نم نيكمتلا (د
.اھتناكمو هأشنملل يميظنتلا روطتلا نم نيكمتلا (ـھ
نيمأتلا طباوض ةفلكت ضفخ ( و
ةيجيتارتسلاا ةميقلا تاذ لوصلأا ةيامح (ز
. ةلاعفو ةحيحص ىلخاد طبض ةئيب ءانب ( ح
. ةبسانملا ةيامحلاب عتمتت ةيتامولعملا لوصلأا نأ ةينعملا فارطلأل دكؤي ام ميدقت ( ط
: تاجرخملا
: ىھ طاشنلا اذھ تاملتسم
. تامولعملا نيمأت ةرادا ماظنل ةيميظنتلا تابلطتملاو تامولعملا نيمأت تايولوأو فادھلأا صخلت ةقيثو (أ
. ةأشنملا ىف تامولعملا نيمأتب ةقلاعلا تاذ ةعانصلا تابلطتمو ةيدقاعتلاو ةيعيرشتلا تابلطتملاب ةمئاق (ب
. اھتاينقتو اھلوصأو اھعقومو ةأشنملاو لامعلأا صئاصخل رصتخم ضرع (ـج
ىرخأ تامولعم
. ٢٠٠٥: ١-٢٠٠٠٠ يس يإ يأ /وزيأ ،٢٠٠٤: ١٤٠٠١ يس يإ يأ /وزيأ ، ٢٠٠٨: ٩٠٠١ يس يإ يأ /وزيأ
تامولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ديدحت ٣/٥
ماظنلل ىئدبملا لاجملا عضو ١/٣/٥
: طاشنلا
. تامولعملا نيمأت ةرادا عورشمل ىرورض وھ ىذلا ، لاجملا فيرعت تامولعملا نيمأت ةرادإ ماظن ذيفنت فادھأ نمضتت نأ بجي
: تلاخدملا
. تامولعملا نيمأت ةرادإ ماظنل اھعضو ىف ةأشنملا تايولوأ ٢/٥ طاشنلا تاجرخم حضوت
: تاداشرلإا
ف�يرعت ي�غبني نلآاو . تا�مولعملا نيمأ�ت ةرادإ ما�ظن ل�كيھ ف�يرعت ب�جي ، تا�مولعملا نيمأ�ت ةرادا ما�ظنعور�شم ذ�يفنت ليب�س ىف
. ةطشنلأا نم ديزملا معدلو ذيفنتلا تارارقل تاداشرإ ةرادلإل مدقيل ،ماظنلل يئدبملا لاجملا
. ةرادلإا لبق نم دامتعلال ةحرتقملا عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنلإ يرورض ىئدبملا لاجملا اذھ
٩ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
: نمضتت ىتلا ، تامولعملا نيمأت ماظن ةرادلإ ىئدبملا لاجملافرعت ةقيثو نوكتس ةلحرملا هذھ تاجرخمو
. ةيجراخ تاھج نم ةضورفملا تامازتللااو ةرادلإا اھتعضو ىتلا تامولعملا نيمأت ةرادإ تايمتحل صخلم (أ
. ىرخلأا ةرادلإا مظن عم لاجملا يف ةروكذملا ةفلتخملا ةيميظنتلا تلااجملا لعافت ةيفيكل فصو (ب
.(٢/٥ دنب نم ةدمتسم) تامولعملا نيمأت ةراداروظنم نم لامعلأا فادھأب ةمئاق (ـج
قبطي� �سى� �تلاة��يفارغجلا ع�قاوملاو ة��يميظنتلا ل��كايھلاو ة�يتامولعملا لو��صلأاو مظن��لاو ة�يويحلا لا��معلأا تا�� ة�مئاقيلمعب (د
. تامولعملا نيمأت ةرادإ ماظن اھيلع
.ةأشنملا فادھأو ةيمازللإاو ةيعيرشتلا فادھلأاو ةمئاقلا ةرادلإا مظن عم ةقلاعلا ( ـھ
. تاينقتلاو لوصلأاو عقوملاو ةأشنملاو لامعلأا صئاصخ (و
تا�مولعملا نيمأ�ت ةرادإ م�ظنو ةرادلإ�ل ة�يلاح م�ظن ىأ ى�ف تا�يلمعلا ني�ب ةيليغ�شتلا تافلاتخلااو ةماعلا رصانعلا هذھ ددحت نأ بجي
. ةحرتقملا
:تاجرخملا
. تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملا فصت ةقيثو ملتسملا
ىرخأ تامولعم
.ةددحم تامولعم كانھ تسيل
نإ� ٢٧٠٠١�ف :٢٠٠٥ ي� �سيإ يأ /وز� ةف��يأ�صاوملل ا��قبط ةداھ��شلا لو�ى��لع�صحلا ة��لاح ه� ى� ى��نأ�ف ها��لا�بتنلاا ت� ب��فل�جي -: ة��ظوحلم
ى�ف ة�مئاق ىر�خأ م�ظن ة�يأ ن�ع ر�ظنلا فر�صب ،ISMSما�ظن لا�جم تابلطتم يف امك ،اھب ءافولا بجيتابلطتملاب ةددحملا تادنتسملا
. ةأشنملا
تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملل تايلوئسملاو راودلأا فيرعت ٢/٣/٥
: طاشنلا
. تامولعملا نيمأت ةرادأ ماظنليئدبمللااجملاب صتخي اميف ةيلكلا تايلوئسملاو راودلأا فيرعت بجي
: تلاخدملا
. ماظنلل يئدبملا لاجملا عضو ١/٣/٥ طاشنلا تاجرخم (أ
. تامولعملا نيمات ةرادإ ماظن عورشم جئاتن نمنوديفتسيس نيذلا ةينعملا فارطلأاب ةمئاق (ب
: تاداشرلإا
ة�مظنمني�ب ف�لتخيرود و�ھو ، ةأ�شنملا رود د�يدحت ب�جي ، تامولعملا نيمأت ةرادإ ماظن عورشم ذيفنت لجأ نم
دراو��ملاو ة� �يميظنتلال��كايھلا نيا��بتت ث� تا��يحو�مولعملا نيمأ� ع��ت نيلما��م �عتملا دار� داد��فلأا �عأفلات��خلا ىر��خأو
ةريغ�صلاتا�مظنملا ى�ف ثد�حي ا�م ، كلذ لاثم . ةأشنملا لكيھو مجحو عونل اقبط تامولعملا نيمأتل ةصصخملا
دد��حت نأ ةرادلإا ى� �لعب��جيف ك� �لذن� مغرلا��م �بو، صخ��شلا س� �فنةط�وب� ةدد�سا�عتملا راودلأا ا��ھيف ىدؤ� د��ت ى��ق�تلا
ع�م ( هبا�ش ا�م وأ تا�مولعملا ن�مأ ريد�م وأ تا�مولعملا ن�مأ ىفظو�مر�يبك ةدا�ع ) رودلا اذھ حوضوو ةحارصب
ى��لع ءا� تايلوؤ��نب �سمو ��راودألماعلاني دار��فلأل دن�� نأست ب��جي ا��مك ، تا��مولعملا نيمأ� ةراد�تلإ ة��يلامجإ تايلوئ��سم
. رادتقاو ةءافكب ماھملا ذيفنت نم ققحتلل يرورض رمأ وھو مھتفيظوب مايقلل ةبلطتملا ةراھملا
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
-: ىھ تامولعملا نيمأت ةرادإ راودأ فيرعت ىف ةيمھا رثكلأا تارابتعلااو
. ىرادلإا ىوتسملا ىلع لظت ىتلا ماھملا نع ةيلكلا ةيلوئسملا (أ
نيمأ� ة��ت�يلمعل قي��سنتلاو جيور� ( تا��تلل�مولعملا نيمأ� ىفظو��ت �م ر�نو��يبك�كي ةدا� ا� )�ع�م د��حاو صخ� �ني�ش� (ب يعت
. تامولعملا
نا�كم ى�ف تا�مولعملا ن�مأ ةناي�ص ن�عو ةيل�صلأا ه�تمھمن�ع ةيوا�ستم ةيلوئ�سم لاوئسم فظوم لك نوكي ( ـح
. ةأشنملا ىفو هلمع
نيمأ� ة��تل�عومجم للا� �ن�خ ر��م�سيأ نو��كي ىذ�ر�لأا�م،� ًايلاو�� تا�س�مولعملا نيمأ� ةرادإ�ت راودأ ل��معت نأ ي��غبنيو
. ةليثم ةھج وأ تامولعملا
ليغ�شتلاو ذ�يفنتلاو ريو�طتلا ل�حارم ى�ف ق�ثويو ل�ك ل�معلا ل�حارم ى�ف ني�صتخملا ع�م نوا�عتلا ىرجي نأ يغبني
. تامولعملا نيمأت ةرادإ ماظنل ةنايصلاو
ما�ظنةرادإ ق�يرف ى�ف نو�لمتحمءا�ضعأ مھ ( رطاخملا ةرادإ لثم ) ددحملا لاجملاب صتخي اميف ماسقلأا ولثممو
مادخت�سلالوه�لمع ى�ف عار�سلإل ى�لمع م�جحرغ�صأ دود�ح ىف هيلع ءاقبلاا بجي قيرفلا اذھ ، تامولعملا نيمأت
ا�ھنكل ، تا�مولعملا نيمأ�ت ةرادا ما�ظنلا�جم ى�ف ةرشابم هاوتحملا كلت طقف تسيل تلااجملا هذھ . دراوملل لاعفلا
. ةيميظنتلاو ةيرادلإاو ةينوناقلا تارادلإا لثم ةرشابملا ريغ ماسقلأا اضيأ
تاجرخملا
نيمأ� ةرادإ�ت ما�� حجا�ظنل �نلاذ��يفنتلل ة��بولطملا تا��مظنملاو ءام��سلاابتايلوئ� �سملاو راودلأا ف��صيلود� �جوأ دنت��سمى�ا��ھ �نھتامل ت��سملا
. تامولعملا
ىرخأ تامولعم
نيمأ�� ةرادإ�ت ما�� حجا���ظنل ق���نلا�يبطتلل ةأ�� �شنملاى�� ة���ف�بولطملا تايلوئ���سملاو تلاي��راودلأا � ق��صفت ب �مد��حلملاي �ق
. تامولعملا
ةرادلإا ةقفاوم ىلع لوصحلل عورشملا ةطخو لامعلأا ةلاح ةسارد ءاشنإ ٤/٥
: طاشنلا
ءا�شنإب تا�مولعملا نيما�ت ةرادإ عور�شم ذ�يفنتبة�صاخلا دراوملا�ب اھمازتلاو ةرادلإا دامتعا ىلع لوصحلا يغبني
. ماظنلا عورشمل تاحرتقمو لامعلأا ةلاح ةسارد
: تلاخدملا
. تامولعملا نيمأت ماظنل اھعضو ىف ةأشنملا تايولوأ حاضيإ ٢/٥ طاشنلا تاجرخم (أ
ةيئدبم ةروصيو :قثوملا – ماظنلل ىئدبملا لاجملا ديدحت ٣/٥ طاشنلا تاجرخم (ب
. تامولعملا نيمأت ماظن لاجم -١
. ةقلاعلا تاذ تايلوئسملاو راودلأا -٢
تاداشرلإا
، ة��يلولأا تا��مولعملا نيمأ� ةرادإ�ت ما��ظن عور��شم ة��طخلو ل��معلل يلا��حلا ح�ل تا��ضول�مولعملا نم��ضتت نأ ب��جي
هذ� ن��ھ ٩�م ى�٦�لا دو�� ى�نبلا ةدراو��ف ةي��لا�سيئرلا ةط� ة��شنلأل�بولطملاتاملاعلاو دراو��ملاو ع� ى��قوتملا�نمزلا را��طلاا
. ةيلودلا ةفصاوملا
١١ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ةرادلإا ماز� �تلاد��كؤت ا��ھنأ ب��ناج ى�إ ،�ل عور��شملل سا��سلأا ة��يلولأا عور��شملا ة��طخو لا��معلأا ة��لاح ة� ل��ساردي�ثم
ا�ھب ق�بطي ى�تلا ة�قيرطلا ، ذ�يفنتلا ع�ضوم تا�مولعملا م�ظن نيمأ�ت ةرادإ ع�ضول ةبولطملا دراوملا ىلع اھتقفاومو
. لامعلأا ةءافك نم ديزتو ةيميظنتلا تايلمعلا ةيلاعف ىف مھست لامعلأا فادھأ معد ىف ماظنلا
ى��� ةأ��طغتو �شنملافاد�� طبتر���ھأب ةري���ت تارار���صق ما���قإ ذ���ظنلا لا���يفنتلا�معلأ ة���لاح نم��ة���ضتي�سارد نأ ب���جي
: ةيلاتلا تاعوضوملا
.ةددحملا فادھلأاوتاياغلا (أ
ةأشنملا ىلع ةدئاعلا دئاوفلا (ب
.هب ةرثأتملا طاشنلا تايلمع انمضتم تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملا (ـح
ماظنلا فادھلأ لوصولا ىف ًاريثأت رثكلأا لماوعلاو تايلمعلا (د
عورشملل ةيلك ةماع ةرظن (ـھ
ةيئدبملا ذيفنتلا ةطخ ( و
تايلوئسملاو راودلأا فيرعت (ز
( دارفلأاو تاينقتلا نم لكل ) ةبولطملا دراوملا (ح
.ىلاحلا تامولعملا نيمأت ةنمضتم ذيفنتلا تارابتعا (ط
.ةزيمملا تاملاعلا عم ىنمزلا راطلإا (ى
. ةعقوتملا فيلاكتلا ( ك
. ةجرحلا حاجنلا لماوع (ل
.ةأشنملا ىلع ةدئاعلا دئاوفلا ةيمكريدقت (م
هذ�ھ ي�ف ٩ ى�لا ٦ ن�م دو�نبلا ى�ف ةدراو�لال�حارملا ى�ف ة�قلاعلا تاذ ةطشنلأا عورشملا ةطخ نمضتت نأ يغبني
.ةيلودلا ةفصاوملا
ة��لاح ة� ة��سارد�عجارمل ةب��سانم ة��لھم مھؤا�و ه��طعا نورثأ��ب �تملا وأ ما��ظنلا نورثؤ� ى��ف�ملا دار��فلأا د��يدحت ي��غبني
حر�تقم و لا�معلأا ة�لاح ة�ساردثيدحت ي�غبني. عور�شملا حر�تقم كلذ�كو ه�يلع ق�يلعتلاو ما�ظنلاب ة�صاخلا لامعلأا
ضر�� ىفا�عي ،�كلا معد��لا لو�ى��لع�صحلا رو� .ةد��� تلاخد�فويدج ريفو��م �ت م� ةرور��ت ا���ملك د�ضلا�نع ما��ظنلا عور��شم
. تاقفاوملا ىلع لوصحلل ةرادلإا ىلع عورشملا حرتقم
ءد�بلاو ل�ماكلا ةأ�شنملا ماز�تلا ق�يقحتل ةيئدبملا عورشملا ةطخو لامعلأا ةلاح ةسارد دامتعا ةرادلإا ىلع يغبنيو
. عورشملا ذيفنت ىف
: ىھ ذيفنتلا عضوم ماظنلا عضو هاجت ةرادلإا مازتلا نم ةعقوتملا دئاوفلاو
تاذ ةي�سايقلا تاف�صاوملاوة�يدقاعتلا تا�مازتللاا كلذ�كو ة�قلاعلا تاذ تاعيرشتلاو نيناوقلا قيبطتو ةفرعم (أ
هذ�ھلناعذلإا مد�ع ن�ع ة�جتانلا تا�بوقعلاو تا�عبتلا ب�نجت ه�نع أ�شني ىذ�لا رملأا ، تامولعملا نيماتب ةقلاعلا
.تامازتللاا
. تامولعملا نيماتل ةددعتملا تايلمعلل ءفكلا مادختسلاا (ب
. تامولعملا نيمأت رطاخمل لضفأ ةرادإ ربع ومنلا ىف ةقثلا دايدزاو نزاوتلا ( ـح
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
. لمعلل ةيويحلا تامولعملا ةيامحو ديدحت (د
:تاجرخملا
: ىھ طاشنلا اذھ تاملتسم
. ضرغلا اذھل اھصيصخت مت ىتلا دراوملاب عورشملا ذيفنتل ةرادلإا لبق نم قثوملا دامتعلاا (أ
. قثوم لمعلل يلاح عضو (ب
ة�يلخادلا تا�عجارملاو ذ�يفنتلاو رطا�خملا ريد�قت ءار�جا لثم ،ةزيمم تاملاع عم ماظنلل ىلوأ عورشم حرتقم (ـج
.ةرادلإا تاعجارمو
ىرخأ تامولعم
لا��ا�معلأ ة���لاح معد��ة�� ةرثؤ���سارد�ل حا���ملا ل���جنلا �ن��ماوع ة���ع �لثملأ٢٧٠٠٠:٢٠٠٩ ي�� يإ� يأس/ وز��رظنأ�يأ
. تامولعملا نيمأت ةرادإ ماظنبصاخلا
تامولعملا نيمأت ةرادإ ماظن ةسايسو دودحو لاجمفيرعت .٦
تامولعملا نيمأت ةرادإ ماظن ةسايسو ماظن دودحو لاجمفيرعت ىلع ةماع ةرظن ١/٦
ة�سارد ،تا�مولعملا نيمأت ةرادإ ماظنل ىئدبملا لاجملا ىلع ينبم تامولعملا نيمأت ةرادإ ماظن ذيفنتل ةرادلإا دامتعا
،تا��مولعملا نيمأ� ةرادإ�ت ماظندود� �حو لا��جمل ىلي��صفتلا ف��يرعتلا ا� .�مأة��يلولأا عور��شملا ة��طخ لا� و�معلأا ة��لاح
نيمأ��ت ةرادإ ما��ظنل حجا� �نلاذ��يفنتلل ةي��سيئرلا ةي� ل��ساسلأا�ماوعلا ى�� ا�معدوھ�ھ ةرادلإا لو��بقو ما��ظنلا ة��سايسفيرعتو
.تامولعملا
:فادھلأا
.ةرادلإا رارقإ ىلع لوصحلاو ، ماظنلا ةسايس عضووتامولعملا نيمأت ةرادإ ماظن دودح و ىليصفتلا لاجملا فيرعت
.(ب ١-٢- ٤ و (أ ١- ٢- ٤ : اھدونب ىف٢٧٠٠١:٢٠٠٥ يس يإ يأ/ وزيأ ةفصاوملل اقبط
ة��يتلآا ةط��شنلأا ،"تا��مولعملا نيمأ� ةرادإ�ت ما��ظن دود� �حو ىلي��صفتلا لا��جملا ف��يرعت "فد� ق��ھ�يقحت ل� �جأن��مو
:ةيرورضلا
. ةيميظنتلا دودحلاو لاجملافيرعت (أ
. (ICT )تلااصتلااو تامولعملا ايجولونكت دودحو لاجم (ب
.ةيداملا رصانعلا دودحو لاجم (ج
،(ب و (أ ١/٢/٤ دونبلا ىف٢٠٠٥ :٢٧٠٠١ يس يإ /وزيأ ةفصاوملا ىف ةددحملا صئاصخلا (د
ةسايسلا و ، دودحلاو لاجملل ةيجولونكتلا بناوجلاو لوصلأاو ،عقوملاو ،ميظنتلاو ، لامعلأا:لثم
.دودحلاو لاجملافيرعت ةيلمع يف اھديدحت متي
نيمأت ةرادإ ماظنل لماكلا دودحلاو لاجملا ىلع لوصحلل دودحلاو ةيلولأا تلااجملا جمد (ـھ
.تامولعملا
١٣ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
.دحاو يرورض طاشن كانھ ، ةرادلإا لوبق ىلع لوصحلاو تامولعملا نيمأت ةرادإ ماظن ةسايسفيرعت قيقحتل
ة�تامولعملا�ي لو��لأا صرا��ا للا�بتع �ن�خ ما��م�ظنلل ىلي��تللااجملاصف د��يدحت ي��غبني ،ةأ��شنملل لا� �عفةرادإ ما��ظن ءا��نبلو
مي�يقتو تا�مولعملا لو�صأ د�يدحتل مظت�نم جھن�م و ةكرت�شم تاحلط�صم كا�نھ نوكت نأ مھملا نمف .ةأشنملل ةيويحلا
ن�مو .ذ�يفنتلا ل�حارم ع�يمج للا�خ ق�ستملا مھافتلاة�يوقتو لاصتلاا ةلوھس نم نكمي امم .ىدملا ةليوط نيمأت تايلآ
.ةيويحلا ةأشنملا تلااجم ىلع لاجملا لامتشا نم دكأتلا اضيأ مھملا
وأ م��سقك ،ا��ھنم ءز�لً لاما��ج �شوأ ،ا��ھلمكأب ةأ��شنملاً لاما�� نوكشيلتا��مولعملا نيمأ� ةرادإ�ت ما��ظنلاجمفيرعت ن� �كمملان��م
نأ نكميما�ظنلا لا�جم ، ءلا�معلل ة�مدقملا " تامد�خلا " ةلاح يف ، لاثملا ليبس ىلعف .ةحضاو دودح هل يعرفنوكم
ءا��فولا ب�ي�ج .(م��سقلا ن� ًءز��م �وأً لاما�جً ا�كم��سق ) ة��فلتخم فئا�� ن�ظو ل��م�مع ق��يرفل ةرادإ ما��ظن وأ ،ة��مدخلا نو��كي
ة�مئاقلا ةرادلإا م�ظن نع رظنلا ضغب ةداھشلا ىلع لوصحلل ٢٠٠٥ : ٢٧٠٠١ يس يإيأ/ وزيأ ةفصاوملاتابلطتمب
.ةمظنملا لخاد ةقبطملا
تا�نوكملا دود�ح و لا�جمو(٣/٦ د�نبلا ) تلاا�صتلااو تا�مولعملا ايجولونكت دودحولاجمو،ةيميظنتلا دودحلاولاجملا
ى� ةرا��لإ�شلإا د��يفملا ن� ه��م �نإفك� �لذع��مو .عبا��تتلا ى� �لعاھذ��فنت ا�ي�مئاد ىرور��ضلا ن� سي��م (�ل ٤/٦ د��نبلا) ة��يداملا
. ىرخأ دودح و تلااجمفيرعت دنع اھيلع لوصحلا قباسلا دودحلاوتلااجملا
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
دامتعا ىلع لوصحلا
تابلطتم ليلحتب مايقلا دودحو لاجم ديدحت
و رطاخملا ريدقتب مايقلا
ISMS ماظن ميمصت
ةسايسلاو ماظنلا عورشم ىف ءدبلل ةرادلإا
تامولعملا نيمأت
ةجلاعمل طيطختلا
ISMS ماظن
رطاخملا
٥
٨
٩ ٦
٧
ماظن دودحو لاجم
ءدبلل ةرادلإا دامتعا
ISMS
ماظن عورشم ىف
ISMS
ISMS ماظن ةسايس
ينمزلا طخلا
دودحلاو لاجملا ديدحت
ةيميظنتلا
٢/٦
ةيميظنتلا دودحلا
ISMS ماظنل
دودحو لاجم فيرعت
تامولعملا ايجولونكت
(ICT) تلا اصتلااو
٣/٦
ايجولونكت دودحو لاجم
تلااصتلااو تامولعملا
دودحو لاجم فيرعت
تايداملا
٤/٦
دودحو لاجم
ةيداملا رصانعلاا
تلااجملا لك مض
لاجم يف دودحلاو
ماظن دودحو
٥/٦ISMS
ماظن دودحو لاجم
ISMS
ماظنلا ةسايس ريوطت
ةقفاوم ىلع لوصحلاو
ةرادلإا
٦/٦
ماظن ةسايس
ISMS
ينمزلا طخلا
.ISMS ةسايسو ISMS ماظن دودحو لاجم فيرعتل ةماع ةرظن :٤ لكش
١٥ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
ةيميظنتلا دودحلاو لاجملا ديدحت ٢/٦
طاشنلا
.ةيميظنتلا دودحلاو لاجملا ديدحت يغبني
تلاخدملا
ماظنل قثوملا يئدبملا لاجملا– تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملافيرعت : ٣/٥ طاشنلا نم تاجرخملا (أ
:لوانتي يذلاتامولعملا نيمأت ةرادإ
؛ةأشنملا فادھأو ،اھل لاثتملااو ، ةيعيرشتلاو ةمئاقلا ةرادلإا مظن تلااجم نيب ةقلاعلا (١
.ايجولونكتلاو لوصلأاو ، اھعقومو ، ةأشنملاو لامعلأا صئاصخ (٢
قثوملا دامتعلاا–تامولعملا نيمأت ةرادإ ماظنءاشنإ ىف ةأشنملا تايولوأ حيضوت :٢/٥ طاشنلا نم تاجرخملا ( ب
.ةمزلالا دراوملا صيصخت عم عورشملا يف ءدبلاوتامولعملا نيمأت ةرادإ ماظنذيفنتل ةرادلإا لبق نم
تاداشرلإا
نكميو.ماظنلا هيلع قبطي ىذلا لاجملا مجح ىلع تامولعملا نيمأت ةرادإ ماظنذيفنتل بولطملا دھجلا رادقم دمتعي
لثم) لاجملا ىف ةنمضتملا رصانعلل تامولعملا نمأ ىلع ظافحلاب ةقلعتملا ةطشنلأا عيمج ىلع اضيأ رثؤي نأ اذھل
ىلع ظافحلاو و ذيفنت كلذ نمضتيو ، (صاخشلأا و تامولعملا ايجولونكت مظنو ، ةيداملا عقاوملا ، تايلمعلا
تررق ام اذإو .رطاخملا تاريدقت و ةيتامولعملا لوصلأاديدحت لثم ماھم ذيفنتو ،تايلمعلا ةرادإو ، طباوضلا
.كلذب مايقلل اھبابسأ قيثوت اھيلع يغبني هنإف، ماظنلا لاجم نم ةأشنملا نم ةنيعم ءازجأ داعبتسا ةرادلإا
.هديدحت يف اوكراشي مل نيذلل هريسفتل ىفاكلا ردقلاب ةحضاو هدودح نوكت نأ مھملا نمف ،ماظنلا لاجم ديدحت دنع
بجيو.ىرخأ ةرادإ ةمظنأ مادختسلا ةجيتن لعفلاب ةدوجوم تامولعملا نيمأتب ةقلعتملا طباوضلا ضعب نوكت دقو
ىلع ةرورضلاب كلذرثؤي نأ نود نكل ،تامولعملا نيمأت ةرادإ ماظنل طيطختلا دنع رابتعلاا يف اذھ ذخؤي نأ
.ىلاحلا ماظنلا لاجم دودح
ةيلوؤسملا صيصخت ريسيتل ةلخادتملا ريغةيلوؤسملا قطانم ديدحت وھ ةيميظنتلا دودحلا فيرعت بيلاسأ نم دحاو
.ةأشنملا لخاد
نيمأت ةرادإ ماظنلاجم يف ةلخادلاو لامعلأا ةطشنأ تايلمع وأ ةيتامولعملا لوصلأاب ةرشابم ةلصتملا تايلوؤسملا
دودحلا فيرعت دنعو .تامولعملا نيمأت ةرادإ ماظنةرطيسل ةعضاخلا ةأشنملا نم ءزجك اھرايتخا بجيتامولعملا
:رابتعلاا ىف ةيلاتلا لماوعلاذخأ يغبني ةيميظنتلا
نيمأت ةرادإ ماظنلاجمب ةرشابم نيينعملا نيريدملا نمتامولعملا نيمأت ةرادإ ماظنةرادإ ةعومجم نوكتي نأ يغبني (أ
.تامولعملا
نعةلماك ةيلوئسم نيلوؤسملا نم ادحاوتامولعملا نيمأت ةرادإ ماظننع ةلوؤسملا ةرادلإاوضع نوكي نأ يغبني (ب
.(ةمظنملا لخاد ةيلوؤسملاو طبضلا دودح اھيلمت ام ةداع مھراودأ نوكت نأ ىنعمب) ةينعملا ةيلوؤسملا تلااجم لك
ً ، ايلعلا ةرادلإا يف اوضع سيلتامولعملا نيمأت ةرادإ ماظنةرادإ نعلوؤسملا رودلا اھيف نوكي يتلا ةلاحلا يف (ج
ىلعأ ىدل ماظنلا نع عفادملا رودب امئاق و تامولعملا نيمأت حلاصم ليثمتب ايلعلا ةرادلإا نم عار موقي نأ بجي
.ةمظنملا تايوتسم
مييقت دنع نابسحلا يف ةلصلا تاذ لوصلأا عيمج ذخأ نامضل فيرعتلا ىلإ دودحلا و تلااجملا جاتحت ( د
.دودحلا هذھ ربع أشنت دق يتلا رطاخملا فادھتساو ، رطاخملا
نيمأت ةرادإ ماظنب نيرثأتملا دارفلأا عيمج ليلحتلا عضوم ةيميظنتلا دودحلا ددحت نأ يغبني ، عبتملا جھنلل ًاعبت
جھنلا ىلع ادامتعا فئاظو وأ / و تايلمعب اطبترم نوكي دق دارفلأا ديدحت .لاجملاب اذھ لومش بجي و ،تامولعملا
قيثوت يغبنيف ،ثلاث فرطل ةيجراخ رداصمب ةناعتسلااب لاجملا نمض تايلمعلا ضعب تبلطت ام اذإف .راتخملا
.ماظنلا ذيفنت عورشم يف ليلحتلا نم ديزمل تايعبتلا هذھ عضختس. حوضوب تايعبتلا كلت
(ع) ٢٠١٠/٢٧٠٠٣ يس يإ يأ/ وزيأ
تاجرخملا
:يھ طاشنلا اذھ تاملتسم
ةآشنملا نم ءازجأيأ داعبتسلا تارربم يأ كلذ يف امب ،تامولعملا نيمأت ةرادإ ماظنل ةيميظنتلا دودحلا فصو (أ
.ماظنللااجميف يتلا
.تامولعملا نيمأت ةرادإ ماظنلاجم ىف ةلخادلا ةأشنملا نم ءازجلأا كلت لكيھو فئاظو (ب
.دودحلا ربع ةلدابتملا تامولعملا و لاجملا لخاد ةلدابتملا تامولعملا ديدحت ( ج
.هجراخ ولأاجملا لخاد يتلا ءاوس ةيتامولعملا لوصلأا هاجت تايلوؤسملاو ميظنتلا تايلمع( د
.تامولعملا نيمأت ةرادإ ماظنلخاد يميظنتلا لكيھلا كلذكو رارقلا عنصل يمرھلا لسلستلا ةيلمع (ـھ
ىرخأ تامولعم
.ةددحم ىرخأ تامولعم دجوت لا
(ICT) تلااصتلااو تامولعملا ايجولونكت دودحو لاجم فيرعت ٣/٦
طاشنلا
يتلا ىرخلأا ةيجولونكتلا دونبلاو (ICT ) تلااصتلااو تامولعملا ايجولونكت رصانع دودح و لاجمفيرعت يغبني
.ماظنلا اھيطغي
تلاخدملا
.ماظنلل يئدبملا لاجملا ةقيثو -تامولعملا نيمأت ةرادإ ماظنل يئدبملا لاجملافيرعت ٣/٥طاشنلا نم تاجرخملا (أ
.ةيميظنتلا دودحلاو لاجملا فيرعت ٢/٦ طاشنلا نم تاجرخملا ( ب
تاداشرلإا
) تامولعملا ماظن جھنم للاخ نم اھدودحو تلااصتلااو تامولعملا ايجولونكت لاجمفيرعت ىلع لوصحلا نكميو
يفتامولعملا ماظن ةطشنأ تايلمع نيمضتب يرادإ رارق دوجودرجمب .( تامولعملا ايجولونكت ىلع مئاق جھن نمًلادب
ةلصلا تاذ تلااصتلااو تامولعملا ايجولونكت رصانع عيمج نيمضت يغبني،تامولعملا نيمأت ةرادإ ماظن لاجم
، ةماھلا تامولعملا لقنب موقت وأ جلاعت وأ ، نزخت يتلا ةمظنملا ءازجأ عيمج اذھ لمشي .نابسحلا ىف اضيأ
دودح زواجتت دق تامولعملا مظن.لاجملاب ةلومشملا ةأشنملا ءازجلأ ةبسنلاب ةمساحلا تامولعملا وأ ،لوصلأاو
:رابتعلاا يف يلي ام ذخأيغبني ،لاحلا وھ اذھ ناك ام اذإف .نطولا وأ ةأشنملا
.ةيفاقثلا ةيعامتجلاا ةئيبلا (أ
.ةأشنملا ىلع ةقبطنملا ةيدقاعتلا و ةيعيرشتلاو ةينوناقلا تابلطتملا (ب
.ةيسيئرلا تايلوؤسملا نع ةلءاسملا ( ج
(خلا .تامدخلا ةحاتاو ، حاتملا يددرتلا لاجملا ضرع:لثم) ةينقتلا دويقلا ( د
دنع يلي امل افصو تلااصتلااو تامولعملا ايجولونكت دودح لمشت نأ بجي ،رابتعلاا نيعب قبس امذخأ عم
:ةجاحلا
لاثملا ليبس ىلع) ةفلتخملا تاينقت نمض ةأشنملا ىلع اھترادإ ةيلوؤسم عقت ثيح ، تلااصتلال ةيتحتلا ةينبلا (أ
.(توصلا / تانايبلا تاكبش وأ ، ةيكلسلا ، ةيكلسلالا
.ةأشنملا اھيف مكحتتو اھمدختست يتلا ، ةيميظنتلا دودحلا لخاد تايجمربلا (ب
.جاتنلإا مظن وأ تاقيبطتلاو تاكبشلا وأ ةكبشلا لبق نم ةبولطملا تلااصتلااو تامولعملا ايجولونكتل تادعم ( ج
.اھتايجمرب و اھتاكبشو تلااصتلااو تامولعملا ايجولونكت تادعمب ةقلعتملا تايلوؤسملاو راودلأا ( د
.ثلاثلا فرطلا تايعبت قيثوت يغبني ،ةأشنملا ةرطيسل ةعضاخريغ هلاعأ طاقنلا نم رثكأ وأ ةدحاو نكت مل اذإ
.٢/٦ ىف تاداشرلإارظنا
تاجرخملا
:يھ طاشنلا اذھ تاملتسم
.دودحلا ربع ةلدابتملا تامولعملا و لاجملا نمض ةلدابتملا تامولعملا (أ
١٧ © ISO 2010 ةظوفحم قوقحلا عيمج
( ع) ٢٠١٠/ ٢٧٠٠٣ يس يإ يأ/وزيأ
داعبتسلا تارربم يأ كلذ يف امب ،تامولعملا نيمأت ةرادإ ماظنل تلااصتلااو تامولعملا ايجولونكت دودح( ب
.تامولعملا نيمأت ةرادإ ماظنلاجم نم اھداعبتسا مت وةأشنملا ةرادإ تحت تلااصتلااو تامولعملل تايجولونكت
هذھ تايلوؤسمو راودأ عم بنج ىلإً ابنج ، لاجملا يف وھ ام افصاو ،تلااصتلاا تاكبشو تامولعملا مظن ( ج
.اھل زيجو صخلم ميدقت يغبنيفلاجملا جراخ مظنلا امأ. مظنلا
ىرخأ تامول
...
SLOVENSKI SIST ISO/IEC 27003
STANDARD
marec 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo
sistema upravljanja informacijske varnosti
Information technology – Security techniques – Information security management
system implementation guidance
Technologies de l'information – Techniques de sécurité – Lignes directrices pour
la mise en oeuvre du système de management de la sécurité de l'information
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27003:2011 (sl)
Nadaljevanje na straneh 2 do 65
© 2014-03: Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
SIST ISO/IEC 27003 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27003 (sl), Informacijska tehnologija – Varnostne tehnike – Smernice za
izvedbo sistema upravljanja informacijske varnosti, 2011, ima status slovenskega standarda in je
istoveten mednarodnemu standardu ISO/IEC 27003 (en), Information technology – Security
techniques – Information security management system implementation guidance, 2010-02-01.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27003:2010 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27003:2011 je prevod mednarodnega standarda ISO/IEC
27003:2010. Slovenski standard SIST ISO/IEC 27003:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 25. november 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27003:2010
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27003:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27003 : 2011
Vsebina Stran
Predgovor .5
Uvod .6
1 Področje uporabe .7
2 Zveza s standardi .7
3 Izrazi in definicije .7
4 Struktura tega mednarodnega standarda.7
4.1 Splošna struktura poglavij .7
4.2 Splošna struktura točke.8
4.3 Diagrami .9
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV .11
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV .11
5.2 Razjasniti prioritete organizacije pri razvoju SUIV .13
5.3 Določiti izhodiščni obseg SUIV.15
5.3.1 Pripraviti izhodiščni obseg SUIV .15
5.3.2 Določiti vloge in odgovornosti za izhodiščni obseg SUIV.15
5.4 Ustvariti poslovni razlog in načrt projekta za odobritev vodstva .16
6 Opredelitev obsega in meja SUIV ter politike SUIV .18
6.1 Pregled opredelitve obsega in meja SUIV ter politike SUIV.18
6.2 Določiti organizacijski obseg in meje.20
6.3 Določiti obseg in meje informacijsko-komunikacijske tehnologije (IKT).21
6.4 Določiti fizični obseg in meje .22
6.5 Povezati vse obsege in meje za pridobitev obsega in meja SUIV .22
6.6 Pripraviti politiko SUIV in pridobiti odobritev vodstva .23
7 Izvedba analize zahtev informacijske varnosti .24
7.1 Pregled izvedbe analize zahtev informacijske varnosti.24
7.2 Določiti zahteve informacijske varnosti za proces SUIV .26
7.3 Prepoznati dobrine v obsegu SUIV .27
7.4 Izvesti ocenjevanje informacijske varnosti .27
8 Izvedba ocenjevanja tveganj in načrtovanje obravnavanja tveganj .29
8.1 Pregled izvedbe ocenjevanja tveganj in načrtovanja obravnave tveganj.29
8.2 Izvesti ocenjevanje tveganj .31
8.3 Izbrati cilje kontrol in kontrole .32
8.4 Pridobiti pooblastilo vodstva za izvedbo in delovanje SUIV.32
9 Snovanje SUIV .33
9.1 Pregled snovanja SUIV .33
9.2 Zasnovati organizacijsko informacijsko varnost .36
9.2.1 Zasnovati končno organizacijsko strukturo za informacijsko varnost .36
9.2.2 Zasnovati okvir dokumentacije SUIV.37
9.2.3 Zasnovati politiko informacijske varnosti.38
SIST ISO/IEC 27003 : 2011
9.2.4 Pripraviti standarde in postopke informacijske varnosti .39
9.3 Zasnovati informacijsko varnost IKT in fizično informacijsko varnost .40
9.4 Zasnovati informacijsko varnost, specifično za SUIV.42
9.4.1 Načrtovati vodstvene preglede.42
9.4.2 Zasnovati program ozaveščanja, usposabljanja in izobraževanja o informacijski varnosti .43
9.5 Pripraviti končni načrt projekta SUIV.45
Dodatek A (informativni): Opis kontrolnega seznama.46
Dodatek B (informativni): Vloge in odgovornosti v zvezi z informacijsko varnostjo .50
Dodatek C (informativni): Informacije o notranjem presojanju .54
Dodatek D (informativni): Struktura politik.56
Dodatek E (informativni): Spremljanje in merjenje .60
Literatura.65
SIST ISO/IEC 27003 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Osnutki mednarodnih standardov so pripravljeni v skladu s pravili iz 2. dela direktiv ISO/IEC.
Glavna naloga tehničnih odborov je priprava mednarodnih standardov. Osnutki mednarodnih
standardov, ki jih sprejmejo tehnični odbori, se pošljejo vsem članom v glasovanje. Za objavo
mednarodnega standarda je treba pridobiti soglasje najmanj 75 odstotkov članov, ki se udeležijo
glasovanja.
Opozoriti je treba na možnost, da so lahko nekateri elementi tega dokumenta predmet patentnih
pravic. ISO ne prevzema odgovornosti za identifikacijo nekaterih ali vseh takih patentnih pravic.
ISO/IEC 27003 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
SIST ISO/IEC 27003 : 2011
Uvod
Namen tega mednarodnega standarda je zagotoviti praktične napotke pri razvoju načrta izvedbe
upravljavskega sistema za informacijsko varnost (SUIV) v organizaciji v skladu z ISO/IEC 27001:2005.
Dejanska izvedba SUIV se v splošnem izvrši kot projekt.
Proces, opisan v tem mednarodnem standardu, je bil zasnovan, da zagotovi podporo izvajanju
ISO/IEC 27001:2005 (ustrezni deli iz točk 4, 5 in vključujoč 7), in dokumentira:
a) pripravo začetka načrta izvedbe SUIV v organizaciji, opredelitev organizacijske projektne
strukture in pridobivanje odobritve vodstva,
b) kritične aktivnosti za projekt SUIV in
c) primere za doseganje zahtev v ISO/IEC 27001:2005.
Z uporabo tega mednarodnega standarda bo organizacija sposobna razviti proces upravljanja
informacijske varnosti in dajati zainteresiranim strankam zagotovila, da so tveganja informacijskih
dobrin nenehno vzdrževana v okviru sprejemljivih meja informacijske varnosti, kot jih je opredelila
organizacija.
Ta mednarodni standard ne obravnava operativnih aktivnosti in drugih aktivnosti SUIV, zajema pa
koncepte, kako zasnovati aktivnosti, ki se bodo izvajale po začetku delovanja SUIV. Koncept se kaže
v končnem projektnem načrtu izvedbe SUIV. Dejanska izvršitev specifičnih delov projekta SUIV
organizacije je zunaj področja uporabe tega mednarodnega standarda.
Izvedba projekta SUIV naj se izvaja z uporabo standardnih metodologij projektnega vodenja (več
informacij je navedenih v standardih ISO in ISO/IEC v zvezi s projektnim vodenjem).
SIST ISO/IEC 27003 : 2011
Informacijska tehnologija – Varnostne tehnike – Smernice za izvedbo sistema
upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard se osredotoča na kritične vidike, ki so potrebni za uspešno zasnovo in
izvedbo sistema upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005. Opisuje
proces specifikacije in zasnove SUIV od začetka do izvajanja načrtov. Opisuje proces pridobivanja
odobritve vodstva za izvedbo SUIV, definira projekt izvedbe SUIV (v tem standardu poimenovan
projekt SUIV) in ponuja napotke, kako načrtovati projekt SUIV, kar se odraža v dokončanem načrtu
izvedbe projekta SUIV.
Ta mednarodni standard naj bi uporabljale organizacije, ki uvajajo SUIV. Primeren je za vse vrste
organizacij (na primer podjetja, vladne agencije, nepridobitne organizacije) vseh velikosti.
Kompleksnost in tveganja vsake organizacije so edinstveni in njene specifične zahteve bodo vodile
izvedbo SUIV. Manjše organizacije bodo ugotovile, da so aktivnosti, navedene v tem mednarodnem
standardu, primerne zanje in da jih je mogoče poenostaviti. Velike in kompleksne organizacije bodo
lahko ugotovile, da sta za učinkovito upravljanje aktivnosti iz tega mednarodnega standarda potrebna
nivojska organiziranost ali nivojski sistem upravljanja. Vendar je v obeh primerih mogoče ustrezne
aktivnosti načrtovati z uporabo tega mednarodnega standarda.
Ta mednarodni standard podaja priporočila in pojasnila; ne določa nobenih zahtev. Ta mednarodni
standard je namenjen, da se uporablja skupaj z ISO/IEC 27001:2005 in ISO/IEC 27002:2005, ni pa
namenjen spreminjanju in/ali zmanjševanju zahtev, danih v ISO/IEC 27001:2005, ali priporočil, danih v
ISO/IEC 27002:2005. Trditve o skladnosti s tem mednarodnim standardom niso ustrezne.
2 Zveza s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).
ISO/IEC 27000:2009 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Pregled in izrazoslovje
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistem upravljanja informacijske
varnosti – Zahteve
3 Izrazi in definicije
V tem dokumentu so uporabljeni izrazi in definicije, podani v nadaljevanju ter v ISO/IEC 27000:2009 in
ISO/IEC 27001:2005.
3.1
projekt SUIV
strukturirane aktivnosti, ki jih opravlja organizacija za izvajanje SUIV
4 Struktura tega mednarodnega standarda
4.1 Splošna struktura poglavij
Izvedba SUIV je pomembna aktivnost in se v splošnem izvaja kot projekt organizacije. Ta dokument
razlaga, kako izvesti SUIV z osredotočenjem na zasnovo, načrtovanje in opredelitev projekta. Proces
načrtovanja končne izvedbe SUIV vsebuje pet faz in vsaka faza je predstavljena v svoji točki. Vse
točke imajo podobno strukturo, kot je opisana spodaj. Pet faz je:
a) pridobitev odobritve vodstva za uvedbo projekta SUIV (točka 5),
b) opredelitev obsega SUIV in politike SUIV (točka 6),
SIST ISO/IEC 27003 : 2011
c) izvedba analize organizacije (točka 7),
d) izvedba ocenjevanja tveganj in načrtovanje obravnave tveganj (točka 8),
e) snovanje SUIV (točka 9).
Slika 1 prikazuje pet faz načrtovanja projekta SUIV po standardih ISO/IEC ter glavne izhodne
dokumente.
Opredelitev
Pridobitev Izvedba
Izvedba analize
odobritve vodstva za obsega in meja ocenjevanja tveganj
zahtev informacijske
Snovanje SUIV
uvedbo projekta SUIV SUIV ter politike in načrtovanje
varnosti
SUIV obravnavanja
5 6 tveganj 8
Odobritev Pisna
Zahteve Končni načrt
Obseg in
vodstva za zabeležka o
projekta izvedbe
informacijske
meje SUIV
uvedbo odobritvi vodstva
SUIV
varnosti
projekta SUIV za izvedbo SUIV
Načrt
Informacijske
Politika SUIV
obravnavanja
dobrine
tveganj
Rezultati IOP,
ocenjevanja
vključno s cilji kontrol
informacijske
in izbranimi
varnosti kontrolami
Čas
Slika 1: Faze projekta SUIV
Več informacij je navedenih v dodatkih. Ti dodatki so:
Dodatek A: Povzetek aktivnosti s sklici na ISO/IEC 27001:2005
Dodatek B: Vloge in odgovornosti v informacijski varnosti
Dodatek C: Informacije o načrtovanju notranjih presoj
Dodatek D: Struktura politik
Dodatek E: Informacije o načrtovanju spremljanja in merjenja
4.2 Splošna struktura točke
Vsaka točka vsebuje:
a) enega ali več ciljev, navedenih v okvirjenem besedilu na začetku vsake točke, ki navajajo, kaj naj
se doseže,
in
b) eno ali več aktivnosti, potrebnih za doseganje cilja ali ciljev te faze.
Vsaka aktivnost je opisana v podtočki.
Opisi aktivnosti v vsaki podtočki so strukturirani na naslednji način:
Aktivnost
Aktivnost določa, kaj je potrebno, da se zadovolji ta aktivnost in dosežejo vsi ali nekaj ciljev te faze.
SIST ISO/IEC 27003 : 2011
Vhod
Vhod opiše začetno točko, kot je obstoj dokumentiranih odločitev ali izhodov iz drugih aktivnosti,
opisanih v tem mednarodnem standardu. Vhodi so lahko ali sklici na celovit izhod neke aktivnosti z
navedbo ustrezne točke ali pa specifična informacija iz aktivnosti, dodana po sklicu na točko.
Napotki
Napotki dajejo podrobne informacije za omogočitev opravljanja te aktivnosti. Nekateri napotki morda
niso ustrezni v vseh primerih in so lahko primernejši drugi načini doseganja rezultatov.
Izhod
Izhod opisuje rezultat(-e) ali izdelek(-ke) po končanju aktivnosti, na primer dokument. Izhodi so enaki
ne glede na velikost organizacije ali obseg SUIV.
Druge informacije
Druge informacije dajejo morebitne dodatne informacije, ki lahko pomagajo pri opravljanju aktivnosti,
na primer sklici na druge standarde.
OPOMBA: Faze in aktivnosti, opisane v tem dokumentu, vključujejo predlagano zaporedje opravljanja aktivnosti, ki
temeljijo na odvisnostih, ugotovljenih na podlagi opisov vhodov in izhodov vsake aktivnosti. Vendar lahko
organizacija v odvisnosti od mnogih različnih dejavnikov (na primer uspešnosti sistema upravljanja, ki je
trenutno v uporabi, razumevanja glede pomembnosti informacijske varnosti, razlogov za izvedbo SUIV) izbere
katero koli aktivnost v katerem koli vrstnem redu, kot je to potrebno za vzpostavitev in izvedbo SUIV.
4.3 Diagrami
Projekt je pogosto prikazan v grafični obliki ali z diagramom, tako da je prikazan pregled aktivnosti in
izhodov.
Slika 2 prikazuje legendo diagramov, ki so prikazani v podtočki pregleda vsake faze. Diagrami nudijo
splošen pregled aktivnosti, vključenih v vsaki fazi.
SIST ISO/IEC 27003 : 2011
Faza načrtovanja projekta SUIV
Faza
Faza
Faza
Obseg in meje
SUIV
Politika SUIV
x
y
z
Dokument
Dokument
Čas
Aktivnosti v vsaki fazi
Aktivnost
A
•• •
Dokument
•
•
•
Dokument
Aktivnost Aktivnost
B C
•• • •• •
Dokument Dokument
• •
• •
• •
Dokument Dokument
Čas
Slika 2: Legenda diagrama pretoka
SIST ISO/IEC 27003 : 2011
Zgornji kvadratek prikazuje faze načrtovanja projekta SUIV. Faza, pojasnjena v posamezni točki, je
nato poudarjena z njenimi glavnimi izhodnimi dokumenti.
Spodnji diagram (aktivnosti te faze) vključuje glavne aktivnosti, ki so vključene v poudarjeno fazo
zgornjega kvadratka, in glavne izhodne dokumente vsake aktivnosti.
Potek časa v spodnjem kvadratku temelji na poteku časa v zgornjem kvadratku.
Aktivnost A in aktivnost B sta lahko izvršeni hkrati. Aktivnost C naj se začne po koncu aktivnosti A in B.
5 Pridobitev odobritve vodstva za uvedbo projekta SUIV
5.1 Pregled pridobivanja odobritve vodstva za uvedbo projekta SUIV
Ko se odloča o izvedbi SUIV, naj se upoštevajo številni dejavniki. Za upoštevanje teh dejavnikov naj
vodstvo razume poslovni razlog izvedbe projekta SUIV in naj ga odobri. Tako je cilj te faze:
Cilj:
Pridobiti odobritev vodstva za začetek projekta SUIV z opredelitvijo poslovnega razloga in načrta
projekta.
Da organizacija pridobi odobritev vodstva, naj pripravi poslovni razlog, ki vključuje prednostne naloge
in cilje za izvedbo SUIV kot dodatek k strukturi organiziranosti SUIV. Pripravi naj tudi začetni načrt
projekta SUIV.
Delo, opravljeno v tej fazi, bo omogočilo organizaciji razumeti pomembnost SUIV ter razjasnilo vloge
in odgovornosti informacijske varnosti v organizaciji, potrebne za projekt SUIV.
Pričakovani izhod iz te faze bosta predhodna odobritev vodstva ter njegova zavezanost k izvedbi
SUIV in opravljanju aktivnosti, opisanih v tem mednarodnem standardu. Izdelki te točke vključujejo
poslovni razlog in osnutek načrta projekta SUIV z glavnimi mejniki.
Slika 3 prikazuje proces pridobivanja odobritve vodstva za uvedbo projekta SUIV.
OPOMBA: Izhod točke 5 (dokumentirana zavezanost vodstva k načrtovanju in izvedbi SUIV) in eden od izhodov točke 7
(povzemanje dokumentov s statusom informacijske varnosti) nista zahtevi ISO/IEC 27001:2005. Vendar sta ta
dva izhoda priporočena vhoda za druge aktivnosti, opisane v tem dokumentu.
SIST ISO/IEC 27003 : 2011
Pridobitev Izvedba
Opredelitev
Izvedba analize
odobritve vodstva obsega in meja ocenjevanja tveganj
zahtev informacijske
za uvedbo projekta in načrtovanje Snovanje SUIV
SUIV ter politike
varnosti
SUIV obravnavanja
SUIV
5 6 tveganj 8
Odobritev
vodstva za
uvedbo projekta
SUIV
Čas
Razjasniti
prioritete
organizacije pri
razvoju SUIV
5.2
Povzetek
ciljev SUIV
Seznam
omejitev iz
predpisov in pogodb ter
industrijsko-panožnih
omejitev, ki vplivajo na
informacijsko
varnost organizacije
Podane
poslovne
značilnosti Določiti vloge in
Določiti Pripraviti
odgovornosti za
izhodiščni
izhodiščni
izhodiščni obseg
obseg SUIV obseg SUIV
SUIV
5.3.1
5.3 5.3.2
Ustvariti
Podane
Opis vlog in
poslovni razlog in
poslovne odgovornosti za
načrt projekta za
značilnosti
izvedbo SUIV
odobritev vodstva
5.4
Poslovni
razlog
Predlog
projekta
SUIV
Odobritev
projekta
SUIV
Čas
Slika 3: Pregled pridobivanja odobritve vodstva za začetek projekta SUIV
SIST ISO/IEC 27003 : 2011
5.2 Razjasniti prioritete organizacije pri razvoju SUIV
Aktivnost
Na podlagi določitve prioritet in zahtev informacijske varnosti organizacije naj se vključijo cilji izvedbe
SUIV.
Vhod
a) Strateški cilji organizacije,
b) pregled obstoječih sistemov upravljanja,
c) seznam zakonodajnih, regulatornih in pogodbenih zahtev informacijske varnosti, ki veljajo za
organizacijo.
Napotki
Za začetek projekta SUIV je v splošnem potrebna odobritev vodstva. Zato je prva aktivnost, ki naj se
opravi, zbiranje ustreznih informacij, ki prikazujejo pomen SUIV za organizacijo. Organizacija naj
razjasni, zakaj potrebuje SUIV, določi cilje izvedbe SUIV in zasnuje projekt SUIV.
Cilje izvedbe SUIV je mogoče določiti z odgovori na naslednja vprašanja:
a) upravljanje tveganj – kako bo SUIV izboljšal upravljanje informacijskih varnostnih tveganj,
b) učinkovitost – kako je mogoče s SUIV izboljšati upravljanje informacijske varnosti,
c) poslovne prednosti – kako je s SUIV mogoče ustvariti konkurenčno prednost za organizacijo.
Da organizacija odgovori na gornja vprašanja, upošteva pri prioritetah in varnostnih zahtevah
naslednje možne dejavnike:
a) kritična poslovna in organizacijska področja:
1. Katera poslovna in organizacijska področja so kritična?
2. Katera organizacijska področja ustvarjajo posel in na kaj so osredotočena?
3. Kateri odnosi in sporazumi s tretjimi strankami obstajajo?
4. Ali obstajajo storitve v zunanjem izvajanju?
b) občutljive in dragocene informacije:
1. Katere informacije so kritične za organizacijo?
2. Kakšne bi bile verjetne posledice, če bi se določene informacije razkrile nepooblaščenim
osebam (na primer izguba konkurenčne prednosti, škoda za blagovne znamke in ugled,
pravni postopki itd.)?
c) zakoni, ki določajo ukrepe na področju informacijske varnosti:
1. Kateri zakoni, ki se nanašajo na obravnavo tveganj ali informacijsko varnost, veljajo za
organizacijo?
2. Ali je organizacija del javne globalne organizacije, za katero veljajo zahteve za zunanje
finančno poročanje?
d) pogodbeni ali organizacijski sporazumi v zvezi z informacijsko varnostjo:
1. Kakšne so zahteve za hrambo podatkov (vključujoč roke hrambe)?
2. Ali obstajajo pogodbene zahteve, ki se nanašajo na zasebnost ali kakovost (na primer
sporazumi o ravni storitev – SLA)?
e) industrijsko-panožne zahteve, ki določajo posebne kontrole in ukrepe za informacijsko varnost:
1. Katere specifične panožne zahteve veljajo za organizacijo?
SIST ISO/IEC 27003 : 2011
f) okolje groženj:
1. Kakšna zaščita je potrebna in proti katerim grožnjam?
2. Katere različne kategorije informacij zahtevajo zaščito?
3. Katere različne informacijske aktivnosti morajo biti zaščitene?
g) konkurenčne gonilne sile:
1. Katere so na trgu minimalne zahteve informacijske varnosti?
2. Katere dodatne kontrole informacijske varnosti naj bi omogočale konkurenčno prednost za
organizacijo?
h) zahteve za neprekinjeno poslovanje:
1. Kateri poslovni procesi so kritični?
2. Kako dolgo lahko organizacija prenaša prekinitve posameznih kritičnih poslovnih procesov?
Na podlagi odgovorov na gornje informacije je mogoče določiti izhodiščni obseg SUIV. Ta je potreben
tudi za postavitev poslovnega razloga in celovitega načrta projekta SUIV za pridobitev odobritve
vodstva. Podroben obseg SUIV bo določen med izvajanjem projekta SUIV.
Zahteve, navedene v ISO/IEC 27001:2005, točka 4.2.1.a), postavljajo obseg glede na značilnosti
poslovanja, organizacije, njene lokacije, dobrin in tehnologije. Iz tega izhajajoče informacije podpirajo
to določitev.
Pri postavljanju začetnih odločitev o obsegu naj se razmisli o temah, med katerimi so:
a) Katere naloge vodstvo organizacije postavlja vodstvu informacijske varnosti in katere so zunanje
obveznosti organizacije?
b) Ali je odgovornost za predlagane sisteme v obsegu naložena več kot eni vodstveni ekipi (na
primer ljudem v različnih hčerinskih družbah ali oddelkih)?
c) Kako se bodo dokumenti v zvezi s SUIV razširjali po organizaciji (na primer na papirju ali z
intranetom organizacije)?
d) Ali lahko sedanji sistemi upravljanja podpirajo potrebe organizacije? Ali so v celoti operativni,
dobro vzdrževani in delujejo, kot je bilo zamišljeno?
Primeri ciljev vodstva, ki so lahko uporabljeni kot vhod za določitev izhodiščnega obsega SUIV,
vključujejo:
a) spodbujanje neprekinjenega poslovanja in okrevanja po katastrofi,
b) izboljševanje odpornosti proti incidentom,
c) obravnavanje zakonskih/pogodbenih zahtev/obveznosti,
d) omogočanje certificiranja po standardih ISO/IEC,
e) omogočanje razvoja in položaja organizacije,
f) zmanjševanje cene varnostnih kontrol,
g) zaščito dobrin s strateško vrednostjo,
h) ustanovitev zdravega in uspešnega okolja notranjih kontrol,
i) zagotavljanje zainteresiranim strankam, da so informacijske dobrine ustrezno zaščitene.
Izhod
Izdelki te aktivnosti so:
a) dokument, ki povzema cilje, prioritete informacijske varnosti in organizacijske zahteve za SUIV,
SIST ISO/IEC 27003 : 2011
b) seznam zakonodajnih, pogodbenih in industrijsko-panožnih zahtev v zvezi z informacijsko
varnostjo organizacije,
c) podane značilnosti poslovanja, organizacije, njene lokacije, dobrin in tehnologije.
Druge informacije
ISO/IEC 9001:2008, ISO/IEC 14001:2004, ISO/IEC 20000-1:2005.
5.3 Določiti izhodiščni obseg SUIV
5.3.1 Pripraviti izhodiščni obseg SUIV
Aktivnost
Cilji izvedbe SUIV naj vključujejo določitev izhodiščnega obsega SUIV, ki je potreben za projekt SUIV.
Vhod
Izhod iz aktivnosti 5.2 Razjasniti prioritete organizacije pri razvoju SUIV
Napotki
Da bi projekt izvedbe SUIV potekal, naj se določi struktura organizacije SUIV. Sedaj naj se določi
izhodiščni obseg SUIV, da se vodstvu zagotovijo napotki za izvedbene odločitve in da se podprejo
aktivnosti, ki sledijo.
Izhodiščni obseg SUIV je potreben za ustvarjanje poslovnega razloga in predloga načrta projekta za
odobritev vodstva.
Izhod tega koraka bo dokument, ki določa izhodiščni obseg SUIV in vključuje:
a) povzetek nalog, ki jih vodstvo organizacije podaja vodstvu informacijske varnosti, zunanjih
obveznosti organizacije,
b) opis, kako področje(-a) v obsegu sodeluje(-jo) z drugimi sistemi upravljanja,
c) seznam poslovnih ciljev vodstva informacijske varnosti (kot določa točka 5.2),
d) seznam kritičnih poslovnih procesov, sistemov, informacijskih dobrin, organizacijskih struktur in
geografskih lokacij, na katere se bo SUIV nanašal,
e) odnos med obstoječimi upravljavskimi sistemi, predpisi, določili skladnosti in cilji organizacije,
f) značilnosti poslovanja, organizacije, njene lokacije, dobrin in tehnologije.
Prepoznajo naj se skupni elementi in operativne razlike med procesi vseh obstoječih upravljavskih
sistemov in predlaganega SUIV.
Izhod
Izdelek je dokument, ki opisuje izhodiščni obseg SUIV.
Druge informacije
Ni drugih specifičnih informacij.
OPOMBA: Posebna pozornost naj bo posvečena izpolnitvi specifičnih certifikacijskih zahtev za dokumentacijo ISO/IEC
27001:2005 v zvezi z obsegom SUIV, ko morajo biti te izpolnjene ne glede na delujoče upravljavske sisteme v
organizaciji.
5.3.2 Določiti vloge in odgovornosti za izhodiščni obseg SUIV
Aktivnost
Določijo naj se splošne vloge in odgovornosti za izhodiščni obseg SUIV.
SIST ISO/IEC 27003 : 2011
Vhod
a) Izhod iz aktivnosti 5.3.1 Pripraviti izhodiščni obseg SUIV,
b) seznam zainteresiranih strank, ki bodo pridobile z rezultati projekta SUIV.
Napotki
Da bi projekt SUIV potekal, naj se opredeli vloga vodenja organizacije projekta. Ta vloga je v
splošnem različna za vsako organizacijo zaradi števila ljudi, ki se ukvarjajo z informacijsko varnostjo.
Organizacijska struktura in viri za informacijsko varnost se razlikujejo glede na velikost, vrsto in
strukturo organizacije. Na primer, v manjši organizaciji lahko več vlog izvaja ista oseba. Vendar naj
vodstvo izrecno prepozna to vlogo (ponavadi kot vodja informacijske varnosti, varnostni inženir in
podobno) s krovno odgovornostjo za upravljanje informacijske varnosti in tudi osebju naj določi vloge
in odgovornosti, ki temeljijo na zahtevani usposobljenosti za opravljanje posla. Nujno je treba
zagotoviti, da se opravila izvajajo učinkovito in uspešno.
Najpomembnejši razmisleki o opredelitvi vlog pri upravljanju informacijske varnosti so:
a) krovna odgovornost za opravila ostaja na vodstveni ravni,
b) ena oseba (ponavadi vodja informacijske varnosti) je imenovana za promoviranje in koordiniranje
procesa informacijske varnosti,
c) vsak zaposleni je enako odgovoren za svoje redne naloge in za vzdrževanje informacijske
varnosti na delovnem mestu in v organizaciji.
Vloge za upravljanje informacijske varnosti naj delujejo skupaj; to se lahko spodbuja z varnostnim
forumom ali podobnim telesom.
V vseh korakih razvoja, izvedbe, delovanja in vzdrževanja SUIV naj se Izvaja (in dokumentira)
sodelovanje z ustreznimi poslovnimi strokovnjaki.
Predstavniki oddelkov v okviru prepoznanega obsega (kot je upravljanje tveganj) so možni člani
skupine za izvedbo SUIV. Ta skupina naj zaradi hitrosti in uspešne uporabe dobrin ohranja najmanjšo
praktično velikost. Takšna področja niso samo tista, ki so neposredno vključena v obseg SUIV, ampak
tudi posredna poslovna področja, kot so pravna služba, upravljanje tveganj in administrativni oddelki.
Izhod
Izdelek je dokument ali preglednica, ki opisuje vloge in odgovornosti z imeni in organiziranostjo, ki je
potrebna za uspešno izvedbo SUIV.
Druge informacije
Dodatek B vsebuje podrobnosti o vlogah in odgovornostih, ki so potrebne v organizaciji za uspešno
izvedbo SUIV.
5.4 Ustvariti poslovni razlog in načrt projekta za odobritev vodstva
Aktivnost
Z ustvarjenjem poslovnega razloga in predloga projekta SUIV naj se pridobita odobritev vodstva in
zavezanost za vire za projekt izvedbe SUIV.
Vhod
a) Izhod iz aktivnosti 5.2 Razjasniti prioritete organizacije pri razvoju SUIV,
b) izhod iz aktivnosti 5.3 Določiti izhodiščni obseg SUIV – dokumentirani izhodiščni
1. obseg SUIV ter
2. pripadajoče vloge in odgovornosti.
Napotki
Informacije v poslovnem razlogu in začetnem načrtu projekta SUIV naj vključujejo ocenjeni časovni potek,
vire in mejnike, potrebne za glavne aktivnosti, navedene v točkah 6 do 9 tega mednarodnega standarda.
SIST ISO/IEC 27003 : 2011
Poslovni razlog in začetni načrt projekta SUIV predstavljata osnovo projekta, a tudi zagotavljata
zavezanost vodstva in odobritev virov za izvedbo SUIV. Način, na katerega bo izvedeni SUIV podpiral
poslovne cilje, prispeva k uspešnosti procesov organizacije in povečuje učinkovitost poslovanja.
Poslovni razlog za izvedbo SUIV naj vključuje kratke izjave, povezane s cilji organizacije, in naj
zajame naslednja področja:
a) cilje, vključno s specifičnimi,
b) koristi za organizacijo,
c) izhodiščni obseg SUIV, vključno s poslovnimi procesi, na katere vpliva,
d) kritične procese in dejavnike za doseganje ciljev SUIV,
e) splošen pregled projekta,
f) začetni načrt izvedbe,
g) opredeljene vloge in odgovornosti,
h) potrebne vire (oboje – tehnologijo in ljudi),
i) razmisleke o izvedbi, vključno z obstoječo informacijsko varnostjo,
j) časovni pregled z mejniki,
k) pričakovane stroške,
l) kritične dejavnike uspeha,
m) velikost koristi za organizacijo.
Projektni načrt naj vključuje ustrezne aktivnosti faz iz točk 6 do 9, določene v tem mednarodnem standardu.
Prepoznajo naj se posamezniki, ki vplivajo na SUIV ali so pod njegovim vplivom, in omogoči naj se jim
dovolj časa za pregled in podajanje pripomb o poslovnem razlogu SUIV in predlogu projekta za SUIV.
Poslovni razlog in predlog projekta SUIV naj se ob spremembi vhodov posodabljata, kot je to
potrebno. Ko je pridobljena zadostna podpora, naj se poslovni razlog in predlog projekta SUIV
predstavita vodstvu v odobritev.
Vodstvo naj odobri poslovni razlog in začetni načrt projekta, da bi se dosegla polna zavezanost
organizacije in začelo izvajanje projekta SUIV.
Pričakovane koristi od zavezanosti vodstva za izvedbo SUIV so:
a) poznavanje in vpeljava ustrezne zakonodaje, predpisov, pogodbenih obveznosti in standardov v
zvezi z informacijsko varnostjo, kar vodi v izogibanje nalogam in kaznim zaradi neskladnosti,
b) uspešna uporaba več procesov za informacijsko varnost,
c) stabilnost in povečano zaupanje v rast z boljšim upravljanjem informacijskih varnostnih tveganj,
d) prepoznavanje in zaščita poslovno kritičnih informacij.
Izhod
Izdelki te aktivnosti so:
a) dokumentirana odobritev vodstva za izvajanje projekta SUIV z dodeljenimi viri,
b) dokumentiran poslovni razlog,
c) začetni predlog projekta SUIV z mejniki, kot so opravljanje ocenjevanja tveganj, izvedba, notranje
presoje in vodstveni pregled.
Druge informacije
ISO/IEC 27000:2009 za primere kritičnih dejavnikov uspeha v podporo poslovnemu razlogu SUIV.
SIST ISO/IEC 27003 : 2011
6 Opredelitev obsega in meja SUIV ter politike SUIV
6.1 Pregled opredelitve obsega in meja SUIV ter politike SUIV
Odobritev vodstva za izvedbo SUIV temelji na izhodiščnem obsegu SUIV, poslovnem razlogu SUIV in
začetnem načrtu projekta. Podrobna opredelitev obsega in meja SUIV, opredelitev politike SUIV ter
sprejetje in podpora vodstva so ključni primarni dejavniki za uspešno izvedbo SUIV.
Cilji te faze so tako:
Cilji:
Opredeliti podroben obseg in meje SUIV, pripraviti politiko SUIV in pridobiti potrditev vodstva.
Sklicevanje na ISO/IEC 27001:2005, 4.2.1.a), 4.2.1.b)
Za doseganje cilja "Opredeliti podroben obseg in meje SUIV" so potrebne naslednje aktivnosti:
a) opredelitev organizacijskega obsega in meja,
b) opredelitev obsega in meja informacijsko-komunikacijske tehnologije (IKT),
c) opredelitev fizičnega obsega in meja,
d) določitev značilnosti iz ISO/IEC 27001:2005, točki 4.2.1.a) in b), tj. v obsegu in mejah vidikov
poslovanja, organizacije, lokacije, dobrin in tehnologije ter politike, ki je določena v procesu
opredelitve teh obsegov in meja,
e) združevanje osnovnih obsegov in meja, da se pridobijo obseg in meje SUIV.
Za doseganje opredelitve politike SUIV in pridobitev njenega sprejetja pri vodstvu je potrebna le ena
aktivnost.
Da se zgradi uspešen upravljavski sistem za organizacijo, naj se opredeli podroben obseg SUIV z
upoštevanjem kritičnih informacijskih dobrin organizacije. Pomembno je imeti skupno terminologijo in
sistematičen pristop k prepoznavanju informacijskih dobrin in ocenjevanju izvajanih varnostnih
mehanizmov. To omogoča enostavno komuniciranje in spodbuja dosledno razumevanje skozi vse faze
izvedbe. Ravno tako je pomembno zagotoviti, da so kritična področja organizacije vključena v obseg.
Obseg SUIV je mogoče opredeliti tako, da obsega celo organizacijo ali njen del, kot je poslovno
področje ali jasno zaključen del hčerinske družbe. Na primer, pri "storitvi" za stranke je obseg SUIV
lahko ena storitev ali večfunkcijski upravljavski sistem (celotno poslovno področje ali njen del).
Zahteve ISO/IEC 27001:2005 za certificiranje morajo biti zadovoljene ne glede na obstoječe delujoče
upravljavske sisteme v organizaciji.
Organizacijskega obsega in meja, obsega in meja IKT (6.3) ter fizičnega obsega in meja (6.4) ni treba
vedno določevati zaporedoma. Vendar je koristno upoštevati že pridobljeni obseg in meje, ko se
opredeljujejo ostali obsegi in meje.
SIST ISO/IEC 27003 : 2011
Izvedba
Opredelitev
Pridobitev
Izvedba analize
ocenjevanja tveganj
obsega in meja
odobritve vodstva zahtev informacijske
Snovanje SUIV
SUIV ter politike in načrtovanje
za uvedbo projekta varnosti
obravnavanja
SUIV
SUIV 5
6 tveganj 8
Odobritev
vodstva za Obseg in
meje SUIV
uvedbo projekta
SUIV
Politika ISM
Določiti
organizacijski
obseg in meje
6.2
Organizacijske
meje SUIV
Določiti obseg in
meje informacijsko
komunikacijske
tehnologije 6.3
Obseg in
meje IKT
Določiti fizični
obseg in meje
6.4
Fizični obseg
in meje
Povezati vse
obsege in meje za
pridobitev obsega
in meje SUIV
6.5
Obseg in
meje SUIV
Razviti politiko
SUIV in pridobiti
odobritev vodstva
6.6
Politika SUIV
Slika 4: Pregled opredelitve obsega in meja SUIV ter politike SUIV
SIST ISO/IEC 27003 : 2011
6.2 Določiti organizacijski obseg in meje
Aktivnost
Opredelijo naj se organizacijski obseg in meje.
Vhod
a) Izhod iz aktivnosti 5.3 Določiti izhodiščni obseg SUIV – dokumentirani izhodiščni obseg SUIV, ki
podaja:
1. odnos med obstoječimi upravljavskimi sistemi, predpisi, določili skladnosti in organizacijskimi
cilji,
2. značilnosti poslovanja, organizacije, njene lokacije, dobrin in tehnologije;
b) izhod iz aktivnosti 5.2 Razjasniti prioritete organizacije pri razvoju SUIV – dokumentirana odobritev
vodstva za izvedbo SUIV in začetek projekta z dodeljenimi potrebnimi viri.
Napotki
Količina truda, potrebnega za izvedbo SUIV, je odvisna od velikosti obsega, ki se bo izvajal. Ta lahko
vpliva tudi na vse aktivnosti v povezavi z vzdrževanjem informacijske varnosti stvari v obsegu (kot so
procesi, fizične lokacije, IT sistemi in ljudje), vključno z izvajanjem in vzdrževanjem kontrol,
upravljanjem operacij in izvrševanjem opravil, kot sta ugotavljanje informacijskih dobrin in ocenjevanje
tveganj. Če se vodstvo odloči izključiti posamezne dele organizacije iz obsega SUIV, naj se razlogi za
to dokumentirajo.
Ko je obseg SUIV opredeljen, je pomembno, da so njegove meje dovolj jasne tistim, ki niso sodelovali
pri njegovi opredelitvi.
Nekatere kontrole, ki se nanašajo na informacijsko varnost, lahko že obstajajo kot rezultat uvedbe
drugih sistemov upravljanja. Upoštevajo naj se, ko se SUIV načrtuje, toda ne bodo nujno prikazovale
meja in obsega trenutnega SUIV.
Ena od metod opredelitve organizacijskih meja je prepoznavanje tistih področij odgovornosti, ki se ne
prekrivajo, da se olajša določitev odgovornosti v okviru organizacije.
Odgovornosti, ki so neposredno povezane z informacijskimi dobrinami ali poslovnimi procesi,
vključenimi v obseg SUIV, naj se izberejo kot del organizacije, ki je pod nadzorom SUIV. Pri določanju
organizacijskih meja naj se upoštevajo naslednji dejavniki:
a) vodstveni odbor SUIV naj sestavljajo predstavniki vodstva, ki so neposredno dejavni pri določanju
obsega SUIV;
b) član vodstva, odgovoren za SUIV, naj bo tisti, ki je končno odgovoren za vsa področja, na katera
odgovornost vpliva (tj. njihovo vlogo ponavadi narekuje njihov razpon nadzora in odgovornosti v
organizaciji);
c) kadar vloga, ki je odgovorna za upravljanje SUIV, ne pripada višjemu vodstvu, je bistveno, da je
član najvišjega vodstva sponzor, ki zastopa interese informacijske varnosti in deluje kot advokat
SUIV na najvišjih ravneh organizacije;
d) obseg in meje je treba opredeliti, da se zagotovi, da so vse ustrezne dobrine upoštevane pri
ocenjevanju tveganj in da se obravnavajo tveganja, ki bi lahko nastala skozi te meje.
Na podlagi pristopa naj analizirane organizacijske meje prepozna vse osebje, ki jih zadeva SUIV, in to
naj bo vključeno v obseg. Prepoznavanje osebja je lahko vezano na procese in/ali funkcije, odvisno od
izbranega pristopa. Če so nekateri procesi v obsegu v zunanjem izvajanju pri tretjih strankah, naj bodo
te odvisnosti jasno dokumentirane. Take odvisnosti bodo predmet nadaljnje analize v projektu izvedbe
SUIV.
SIST ISO/IEC 27003 : 2011
Izhod
Izdelki te aktivnosti so:
a) opis meja organizacije za SUIV, vključno z vsemi utemeljitvami za dele organizacije, ki so
izključeni iz obsega SUIV,
b) funkcije in strukture tistih delov organizacije, ki so v obsegu SUIV,
c) opredelitev informacij, ki se izmenjujejo v okviru obsega SUIV, in tistih, ki se izmenjujejo preko
meja,
d) organizacijski procesi in odgovornosti za informacijske vire v obsegu in zunaj njega,
e) proces za hierarhijo odločanja kot tudi struktura znotraj SUIV.
Druge informacije
Ni drugih specifičnih informacij.
6.3 Določiti obseg in meje informacijsko-komunikacijske tehnologije (IKT)
Aktivnost
Določijo naj se obseg in meje elementov informacijsko-komunikacijske tehnologije (IKT) in drugih
tehnoloških predmetov, zajetih s SUIV.
Vhod
a) Izhod iz aktivnosti 5.3 Določiti izhodiščni obseg SUIV – dokument za izhodiščni obseg SUIV,
b) izhod iz aktivnosti 6.2 Določiti organizacijski obseg in meje.
Napotki
Obseg in meje IKT se lahko pridobijo s pomočjo pristopa informacijskega sistema (razen tistega, ki
temelji na IT). Ko se pridobi odločitev vodstva za vključitev poslovnih procesov informacijskega
sistema v SUIV, naj se upoštevajo vsi povezani elementi IKT. To vključuje vse dele organizacije, ki
hranijo, obdelujejo ali pošiljajo kritične informacije oziroma vire, ali tiste, ki so kritični za dele
organizacije
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...